Received: from localhost (daemon@localhost) 
        by CS.UTK.EDU with SMTP (cf v2.9s-UTK)
	id KAA28613; Sun, 6 Oct 1996 10:14:41 -0400
Received: by CS.UTK.EDU (bulk_mailer v1.7); Sun, 6 Oct 1996 10:14:17 -0400
Received: from SEARN.SUNET.SE (searn.sunet.se [192.36.125.4]) 
        by CS.UTK.EDU with SMTP (cf v2.9s-UTK)
	id KAA28577; Sun, 6 Oct 1996 10:14:14 -0400
Message-Id: <199610061414.KAA28577@CS.UTK.EDU>
Received: from SEARN.SUNET.SE by SEARN.SUNET.SE (IBM VM SMTP V2R3)
   with BSMTP id 3211; Sun, 06 Oct 96 16:11:23 +0200
Received: from SEARN.SUNET.SE (NJE origin ERIC@SEARN) by SEARN.SUNET.SE (LMail V1.2b/1.8b) with RFC822 id 4414; Sun, 6 Oct 1996 16:11:23 +0200
Date:        Sun, 6 Oct 1996 16:02:30 +0200
From: Eric Thomas <ERIC@VM.SE.LSOFT.COM>
Subject:     Re: cname lookup effort
To: moore@cs.utk.edu, Roger Fajman <RAF@CU.NIH.GOV>
cc: kre@munnari.oz.au, drums@cs.utk.edu
In-Reply-To: Message of Sat, 05 Oct 1996  22:38:56 EDT from Roger Fajman
             <RAF@CU.NIH.GOV>

On Sat, 05 Oct 1996 22:38:56 EDT Roger Fajman <RAF@CU.NIH.GOV> said:

>If you have an  alias for a service and want to be  able to receive mail
>directed at that  name, why not just  define it in DNS with  an A record
>that is the same as the other name?

The problem is that many firewalls will  then filter it. It seems that by
default (at least for port 25),  many firewall products will do a reverse
lookup for the IP address in the  packet header, then a forward lookup on
the results, and  it had better match  the address in the  packet. We ran
into that problem  big time when migrating from ISP1  to ISP2 because the
ISP2 line  was (like  most new  lines) physically flaky  at first  and we
could  not match  sluggish DNS  changes to  the speed  at which  problems
occurred (we didn't even try). As  far as packet routing went, everything
was clear  and simple, incoming traffic  from ISP1 and outgoing  via ISP2
when up, ISP1 otherwise. It was  only a temporary solution while the line
got tested and re-tested and fixed  of course, but it worked fine, except
that the firewalls  wouldn't talk to us. Unfortunately most  (if not all)
of our large  accounts used firewalls, so it was  a serious problem. Some
had to get an  AOL account so they could keep  running their lists during
the transition. CNAME does not introduce this problem.

For certain  services, it doesn't  matter much.  For instance, FTP  is in
most  cases completely  disabled at  the firewall,  so it  doesn't really
matter if the firewall thinks the  hostname is kosher. But mail is hardly
ever disabled. And I'm not saying  that firewalls should or should not do
any of this, I'm just saying that they do and the people who run it don't
understand  anything about  the Internet  and as  a corporate  policy any
change that  relaxes security  requires the involvement  of 25  layers of
management, counsel and consultants  and basically never happens. They've
been warned  that Internet people  would suggest decreasing  security and
that they should resist at all costs.

  Eric