Milo Hyson wrote:
In our particular case, we have stale glue records for our name-
servers that appear to be coming from a domain we host that is owned
by someone else. Despite our best efforts, we have not been able to
reach the owners and thus have not been able to get the host records
changed at the registrar. The net result is that any domains listing
those server names fail to resolve as the old IPs are no longer in
service.
This raises a scary question. If this is really an undefined
situation, could it be used as an attack vector? Although our
particular situation involves no component of fraud, what is to stop
someone from registering a domain and listing our server name with a
bogus IP?
Milo Hyson
Chief Scientist
CyberLife Labs
---------------
Nothing. But why would it matter? And why would they ask someone other
than the TLDs for your NS?
I don't really think this is a problem as it only comes into play if they
query the registered domain. If one is hosting a domain owned by someone
else they should be able to contact domain holder. If they cannot contact
them, they can just stop hosting them and queries will not then bother
them.
I have several secondary nameservers out there and I have registered them
with my register. Checking for my nameservers at the TLD servers gives
this response:
[r...@maplepark ~]# dig +norecurse @A.GTLD-SERVERS.NET maplepark.com ns
; <<>> DiG 9.6.0 <<>> +norecurse @A.GTLD-SERVERS.NET maplepark.com ns
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62282
;; flags: qr; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 5
;; QUESTION SECTION:
;maplepark.com. IN NS
;; ANSWER SECTION:
maplepark.com. 172800 IN NS maplepark.com.
maplepark.com. 172800 IN NS ns5.dnsmadeeasy.com.
maplepark.com. 172800 IN NS ns6.dnsmadeeasy.com.
maplepark.com. 172800 IN NS ns6.gandi.net.
maplepark.com. 172800 IN NS ns7.dnsmadeeasy.com.
;; ADDITIONAL SECTION:
maplepark.com. 172800 IN A 64.216.205.121
ns5.dnsmadeeasy.com. 172800 IN A 63.219.151.12
ns6.dnsmadeeasy.com. 172800 IN A 64.246.42.203
ns6.gandi.net. 172800 IN A 217.70.177.40
ns7.dnsmadeeasy.com. 172800 IN A 205.234.170.139
;; Query time: 91 msec
;; SERVER: 192.5.6.30#53(192.5.6.30)
;; WHEN: Thu Jan 8 09:05:47 2009
;; MSG SIZE rcvd: 218
As can be seen (or digged|dug), the glue has me (maplepark.com), three
other .com(s), and a .net, all as it should be (and as I wanted it and
registered it) Not allowing this setup would cripple lookups using my
secondaries (all slaves).
OTOH, if you were to add my nameservers to YOUR TLD (through your
registrar) anyone querying your nameservers for anything could be directed
to my nameserver and then find answers only as long as my nameservers were
active. If I, as an active homebuilder, should fall prey to the
ridiculous broken market I am dealing with and go out of business, those
querying YOUR nameservers could get stupid answers. But if they query the
TLD for me they would also get stupid answers until my registration
expires. But I wouldn't care too much. Protect yourself by maintaining
YOUR TLD through your registrar and don't add me to your list of NS.
My short answer is "Don't host domains that aren't maintained" and rely on
the DNS to normally resolve those who do maintain their domains.
imho, the system ain't broke; so don't fix it.
I'm dead sure someone will tell if I'm wrong, and maybe even if I'm not.
--
David Forrest e-mail drf @ maplepark.com
Maple Park Development Corporation http://www.maplepark.com
St. Louis, Missouri
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
