Wow, as far as I can tell, you've pretty much condemned most firewall
software and devices then, because I'm really not aware of any serious
ones that will successfully implement rules such as "allow from
123.45.67.0/24" via DNS. Besides, if you've gone to the trouble of
acquiring your own address space, it is a reasonable assumption that
you'll be able to rely on being able to tack down services in that
space. Being expected to walk through every bit of equipment and
reconfigure potentially multiple subsystems within it is unreasonable.
Taking, as one simple example, an older managed ethernet switch, I see
the IP configuration itself, the SNMP configuration (both filters and
traps), the ACL's for management, the time server IP, etc. I guess if
you feel that Bay Networks equipment was a bad buy, you're welcome to
that opinion. I can probably dig up some similar Cisco gear.
Agreed. I’d see a huge security hole in letting someone put host.somewhere.net in a firewall rule in a PIX/ASA/etc. as opposed to an IP, especially since it’s rare to see DNSSEC in production.
It's not only a security issue, but a performance issue (both resolver and server) and one of practicality, as well (multiple A records for a single FQDN, CNAMEs, A records without matching PTRs, et. al.). The performance problem would likely be even more apparent under DNSSEC, and the practicality issue would remain unchanged.
As smb indicated, many folks put DNS names for hosts in the config files and then perform a lookup and do the conversion to IP addresses prior to deployment (hopefully with some kind of auditing prior to deployment, heh).
For renumbering purposes, you could reasonably expect the firewall
to perform the translations once when rebooted or reset, after which
it would use the discovered IP addresses. This would only fail where
the firewall was being operated by someone in a different
administrative domain that the engineer who has to renumber... And
those scenarios are already indicative of a security problem.
Unfortunately, we're all ignoring the big white elephant in the
room: spam filters. When a large flow of email suddenly starts
emitting from an address that didn't previously send significant
amounts of mail, a number of filters squash it for a while based
solely on the changed message rate. This can be very traumatic for the
engineer trying to renumber and it is 100% outside of his realm of
control. And of course, you lose all of the private whitelists that
you talked your way on to over the years where you no longer have a
valid point of contact.