[TriLUG] OT: DSL for SOHO in Chapel Hill

Ben Pitzer uncleben at mindspring.com
Tue Jan 27 10:45:39 EST 2004 

Pointing to a CNAME is iffy.  What happens if the A record that the CNAME
points to is removed or changed?  Then the CNAME is broken, thus breaking
the NS record.  And from the most pragmatic point of view, BIND 9.x and many
of the newer versions of DNS servers coming up won't look up these records,
because of a failure in RFC compliance.  Basically, looking up glue records
to find the host's IP (or vice versa) is time consuming and not all that
reliable or secure.  Depending on glue records means that there is a chance
that the recursive lookup server may pull bogus data, forwarding you to an
IP that is incorrect, or worse, a mocked up, bogus phishing site, for
example.  By making sure that your NS records are A records, you can reduce
the chances that your site's visitors are getting the information on finding
your site from the proper authoritative source, and it's much more difficult
for attackers to exploit.

Make sense?

Regards,
Ben Pitzer

---------------------------------------------

"Those that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
 --Ben Franklin--




> -----Original Message-----
> From: trilug-bounces at trilug.org [mailto:trilug-bounces at trilug.org]On
> Behalf Of Lisa Lorenzin
> Sent: Tuesday, January 27, 2004 10:28 AM
> To: Triangle Linux Users Group discussion list
> Subject: RE: [TriLUG] OT: DSL for SOHO in Chapel Hill
>
>
>
> > 1.  Make sure that your domain points to the A record hostnames
> for your DNS
> > provider.  All too often I come across zones that are pointed
> to CNAMES in
> > their NS or SOA records.  This is very bad, and most BIND 9.x
> servers will
> > fail to look your domain up in this circumstance.
>
> does anybody know what technical problem is caused by having a zone point
> to a CNAME?  i'm not looking for "it's not in compliance with the spec" -
> i understand that.  i'm curious why the spec is written that way, and what
> problem they're trying to solve or avoid...  it's something i've never
> understood.
>
> 						regards,
>
> 							lisa
>
>
> --
> lisa lorenzin  |  lorenzin at 1000plus.com  |  http://www.1000plus.com/lisa/
> of what avail is an open eye if the heart is blind? - solomon ibn gavirol
>
> --
> TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ  : http://trilug.org/faq/
> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
> TriLUG PGP Keyring         : http://trilug.org/~chrish/trilug.asc
>
>

More information about the TriLUG mailing list