nanog mailing list archives

Re: CNAME records in place of A records

From: Matthias Luft via NANOG <nanog () nanog org>
Date: Fri, 6 Nov 2020 16:57:27 +0000

While the change from A to CNAME itself is probably not based onsecurity considerations, a CNAME pointing to a CDN or similar can resultin future security issues, i.e. you want to closely monitor yourexternally pointing CNAMEs when you get rid of external services:https://www.hackerone.com/blog/Guide-Subdomain-Takeovers


On 06.11.20 05:34, Dovid Bender wrote:

Interesting. We got a few requests at the same time which is what madewe wonder. I wanted to make sure that there wasn't something I was missing.

On Fri, Nov 6, 2020 at 5:25 AM Ray Orsini <ray () oit co<mailto:ray () oit co>> wrote:


    It's not a security thing. We do this with the the resellers who
    white label our VOIP. CNAMEs allow us to be flexible with our own
    hosts and infrastructure without having all of our resellers change
    DNS records.
    OIT Website <https://www.oit.co/>     
    Ray Orsini
    Chief Executive Officer
    OIT, LLC

        *305.967.6756 x1009* <tel:305.967.6756%20x1009>    |              *305.571.6272*

        *ray () oit co* <mailto:ray () oit co>     |      https://www.oit.co
    <https://www.oit.co/> * www.oit.co* <https://www.oit.co/>

        oit.co/ray <http://oit.co/ray>

    Facebook <https://go.oit.co/facebook>

        
    LinkedIn <https://go.oit.co/linkedin>

        
    Twitter <https://go.oit.co/twitter>

        
    YouTube <https://go.oit.co/youtube>

    *How are we doing? We'd love to hear your feedback.
    https://go.oit.co/review*
    <https://zoom.us/webinar/register/2015851001337/WN_otbRE8XZSVOitAPS_qZ9Zg>

    ------------------------------------------------------------------------
    *From:* NANOG <nanog-bounces+ray=oit.co () nanog org
    <mailto:oit.co () nanog org>> on behalf of Dovid Bender
    <dovid () telecurve com <mailto:dovid () telecurve com>>
    *Sent:* Friday, November 6, 2020 5:07:26 AM
    *To:* NANOG <nanog () nanog org <mailto:nanog () nanog org>>
    *Subject:* CNAME records in place of A records
    Hi,

    Sorry if this is a bit OT. Recently several different vendors (in
    completely different fields) where they white label for us asked us
    to remove A records that we have going to them and replace them with
    CNAME records. Is there anything *going around* in the security
    aranea  that has caused this?

Current thread:

CNAME records in place of A records Dovid Bender (Nov 06)
- Re: CNAME records in place of A records Jun Tanaka (Nov 06)
- Re: CNAME records in place of A records Ray Orsini (Nov 06)
  - Re: CNAME records in place of A records Dovid Bender (Nov 06)
    - Re: CNAME records in place of A records Matthias Luft via NANOG (Nov 06)
    - Re: CNAME records in place of A records Alain Hebert (Nov 06)
- Re: CNAME records in place of A records Kevin East (Nov 06)
- Re: CNAME records in place of A records Sabri Berisha (Nov 06)
  - Re: CNAME records in place of A records Doug Barton (Nov 06)
- Re: CNAME records in place of A records Matt Palmer (Nov 08)
  - Re: CNAME records in place of A records Rob McEwen (Nov 08)
    - Re: CNAME records in place of A records Mark Andrews (Nov 08)
    - Re: CNAME records in place of A records Matt Palmer (Nov 08)
    - Re: CNAME records in place of A records Mark Andrews (Nov 08)
  - Re: CNAME records in place of A records Arne Jensen (Nov 09)