On Jan 18, 2008 10:18 PM, Roland Dobbins <rdobbins@cisco.com> wrote:
host.somewhere.net in a firewall rule in a PIX/ASA/etc. as opposed
It's not only a security issue, but a performance issue (both resolver and server) and one of practicality, as well (multiple A records for a single FQDN, CNAMEs, A records without matching PTRs, et. al.). The performance problem would likely be even more apparent under DNSSEC, and the practicality issue would remain unchanged.
Roland, For renumbering purposes, you could reasonably expect the firewall to perform the translations once when rebooted or reset, after which it would use the discovered IP addresses. This would only fail where the firewall was being operated by someone in a different administrative domain that the engineer who has to renumber... And those scenarios are already indicative of a security problem. Unfortunately, we're all ignoring the big white elephant in the room: spam filters. When a large flow of email suddenly starts emitting from an address that didn't previously send significant amounts of mail, a number of filters squash it for a while based solely on the changed message rate. This can be very traumatic for the engineer trying to renumber and it is 100% outside of his realm of control. And of course, you lose all of the private whitelists that you talked your way on to over the years where you no longer have a valid point of contact. Renumbering is a bad bad thing. Regards, Bill Herrin -- William D. Herrin herrin@dirtside.com bill@herrin.us 3005 Crane Dr. Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004