Re: CNAME records in place of A records

[Arne Jensen <darkdevil () darkdevil dk>]

Den 09-11-2020 kl. 01:10 skrev Matt Palmer:
> On Fri, Nov 06, 2020 at 05:07:26AM -0500, Dovid Bender wrote:
> > Sorry if this is a bit OT. Recently several different vendors (in
> > completely different fields) where they white label for us asked us to
> > remove A records that we have going to them and replace them with CNAME
> > records. Is there anything *going around* in the security aranea  that has
> > caused this?
> The closest thing to a *security* issue I can think of is IP agility in the
> face of DDoS attacks -- most booter-style attacks are dumb as rocks, and
> null-routing the target IP and moving all the customers on that IP to
> another one is the easiest solution.

DNSSEC?

A lot of public sector/government stuff, at least around here, should
have had DNSSEC enabled already.

e-Boks, as being the stuff that all state/municipalities sends
electronic communication through (unless you're excluded from
"electronic mail"):

-> https://dnssec-analyzer.verisignlabs.com/www.e-boks.dk

Sure, there DNSSEC on the actual domain name, but the CNAME
*destination* does not.

Or for another examples:

-> https://dnssec-analyzer.verisignlabs.com/www.nsa.gov

There is also DNSSEC enabled on this domain too, but again, the CNAME
*destination* does not.


Wasn't there once a phrase saying something like "a chain is no stronger
than its weakest link"?

What if the SaaS provider is actually the weakest link?

> However, there are many *other* great reasons to get customers to CNAME onto
> their SaaS vendors, including:
>
> * No need to coordinate routine renumbering events;
> * IPv6 support;
> * CAA record (SSL cert issuance) support; and
> * no doubt a bunch of other reasons I've forgotten for the moment.

Renumbering and CAA record indeed two potential good reasons for using
the CNAME, as they wouldn't require clients to perform any manual
actions on their end.

However, I haven't seen anything pointing the direction that "IPv6
support" and "CNAME" would have anything to do with each other.

In the end, using A/AAAA directly is the matter of knowing what you do,
and if you really do, IPv6 support with or without the CNAME wouldn't
really matter.

> Basically, if you sign up for a SaaS that uses your own domain and they
> *don't* give you a CNAME target to point at, I'd be very cautious, because
> they're either *very* new to the game, or they're probably also
> operationally deficient in a lot of other areas, too.

Providing the CNAME, or even requiring the use of it, could also mean
that you should indeed take a close look, at the areas where the SaaS
provider giving you them become "operationally deficient" too.

Hasn't DNS often been criticized of being one common thing that often
make websites slow?

-> https://github.com/PowerDNS/pdns/issues/6874

Real life example from one of the many "SaaS" vendors (in the example,
CDN providers) out there, providing the CNAME, and - obviously depending
on how you look at it, may operate certain things in a very silly way.


My truth? There is too many things out there, making it impossible to
blindly believe that SaaS vendors would always be right, or that their
decisions are always the best.

Your truth? I believe you need to figure out that one yourself.

Just my two cents.

-- 
Med venlig hilsen / Kind regards,
Arne Jensen