nanog mailing list archives
Re: CNAME records in place of A records
From: Mark Andrews <marka () isc org>
Date: Mon, 9 Nov 2020 12:25:11 +1100
On 9 Nov 2020, at 12:01, Rob McEwen <rob () invaluement com> wrote: On 11/8/2020 7:10 PM, Matt Palmer wrote:On Fri, Nov 06, 2020 at 05:07:26AM -0500, Dovid Bender wrote:Sorry if this is a bit OT. Recently several different vendors (in completely different fields) where they white label for us asked us to remove A records that we have going to them and replace them with CNAME records. Is there anything *going around* in the security aranea that has caused this?The closest thing to a *security* issue I can think of is IP agility in the face of DDoS attacks -- most booter-style attacks are dumb as rocks, and null-routing the target IP and moving all the customers on that IP to another one is the easiest solution. However, there are many *other* great reasons to get customers to CNAME onto their SaaS vendors, including: * No need to coordinate routine renumbering events; * IPv6 support; * CAA record (SSL cert issuance) support; and * no doubt a bunch of other reasons I've forgotten for the moment. Basically, if you sign up for a SaaS that uses your own domain and they *don't* give you a CNAME target to point at, I'd be very cautious, because they're either *very* new to the game, or they're probably also operationally deficient in a lot of other areas, too. - Mattexcept - don't forget that the root of a domain (that domain without "www.” or any other label) - cannot have a CNAME as the "A" record - fwiw…
Which is why there are HTTPS and SVCB records coming and SRV exists. You don’t need CNAME, you need indirection. Indirection does require a small amount of client support.
-- Rob McEwen, invaluement
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka () isc org
Current thread:
- Re: CNAME records in place of A records, (continued)
- Re: CNAME records in place of A records Jun Tanaka (Nov 06)
- Re: CNAME records in place of A records Ray Orsini (Nov 06)
- Re: CNAME records in place of A records Dovid Bender (Nov 06)
- Re: CNAME records in place of A records Matthias Luft via NANOG (Nov 06)
- Re: CNAME records in place of A records Alain Hebert (Nov 06)
- Re: CNAME records in place of A records Dovid Bender (Nov 06)
- Re: CNAME records in place of A records Kevin East (Nov 06)
- Re: CNAME records in place of A records Sabri Berisha (Nov 06)
- Re: CNAME records in place of A records Doug Barton (Nov 06)
- Re: CNAME records in place of A records Matt Palmer (Nov 08)
- Re: CNAME records in place of A records Rob McEwen (Nov 08)
- Re: CNAME records in place of A records Mark Andrews (Nov 08)
- Re: CNAME records in place of A records Matt Palmer (Nov 08)
- Re: CNAME records in place of A records Mark Andrews (Nov 08)
- Re: CNAME records in place of A records Rob McEwen (Nov 08)
- Re: CNAME records in place of A records Arne Jensen (Nov 09)