PWG> Date: Tue, 29 Jan 2008 15:50:50 -0500 PWG> From: Patrick W. Gilmore PWG> [Z]one transfers, while not as bad as individual lookups, are still PWG> a bad idea IMHO. For instance, are you sure you want your dynamic PWG> filters 30 or 60 minutes out of date? As opposed to infinitely out-of-date (i.e., no filters)? Don't get me wrong; I'm none too keen on using DNS to distribute IP ACLs. I just am nitpicking that one particular point. PWG> BGP was discussed, but such feeds already exist and do not require a PWG> firewall. IMHO, this is better than anything DNS-based. Using zone transfers is like using RIP. *shudder* Eddy -- Everquick Internet - http://www.everquick.net/ A division of Brotsman & Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita ________________________________________________________________________ DO NOT send mail to the following addresses: davidc@brics.com -*- jfconmaapaq@intc.net -*- sam@everquick.net Sending mail to spambait addresses is a great way to get blocked. Ditto for broken OOO autoresponders and foolish AV software backscatter.