nanog mailing list archives

Re: CNAME records in place of A records

From: Kevin East <kevin.east () theeasts net>
Date: Fri, 6 Nov 2020 04:44:04 -0600

Are you using A records in a domain you own and pointing at their IPs? I'm
not aware of any security vulnerability exploiting A vs CNAME.  If they are
hosting on a domain they own vs one you own, the use of a CNAME would allow
them to change the A record IP without less impact to you, it would also
allow them to remove the A record and effectively stop traffic targeting
the host via a resolved IP.

On Fri, Nov 6, 2020, 4:08 AM Dovid Bender <dovid () telecurve com> wrote:

Hi,

Sorry if this is a bit OT. Recently several different vendors (in
completely different fields) where they white label for us asked us to
remove A records that we have going to them and replace them with CNAME
records. Is there anything *going around* in the security aranea  that has
caused this?

Current thread:

CNAME records in place of A records Dovid Bender (Nov 06)
- Re: CNAME records in place of A records Jun Tanaka (Nov 06)
- Re: CNAME records in place of A records Ray Orsini (Nov 06)
  - Re: CNAME records in place of A records Dovid Bender (Nov 06)
    - Re: CNAME records in place of A records Matthias Luft via NANOG (Nov 06)
    - Re: CNAME records in place of A records Alain Hebert (Nov 06)
- Re: CNAME records in place of A records Kevin East (Nov 06)
- Re: CNAME records in place of A records Sabri Berisha (Nov 06)
  - Re: CNAME records in place of A records Doug Barton (Nov 06)
- Re: CNAME records in place of A records Matt Palmer (Nov 08)
  - Re: CNAME records in place of A records Rob McEwen (Nov 08)
    - Re: CNAME records in place of A records Mark Andrews (Nov 08)
    - Re: CNAME records in place of A records Matt Palmer (Nov 08)
    - Re: CNAME records in place of A records Mark Andrews (Nov 08)
  - Re: CNAME records in place of A records Arne Jensen (Nov 09)