On Thu, Jan 08, 2009 at 02:46:44AM -0800, Milo Hyson <m...@cyberlifelabs.com> wrote a message of 127 lines which said:
> stale glue records for our name-servers that appear to be coming > from a domain we host that is owned by someone else. I don't really like to work on hypothetical situations. Either you post the relevant domain name, or I would not believe you. > This raises a scary question. If this is really an undefined > situation, could it be used as an attack vector? Although our > particular situation involves no component of fraud, what is to stop > someone from registering a domain and listing our server name with a > bogus IP? For someone to "register a domain and listing our server name with a bogus IP", the registry has to be incredibly careless (and, as Matthew Pounsett mentioned, with EPP, it would be impossible). A registry must not accept to register host records for domains outside of the client's control. Otherwise, it would indeed be an attack vector. A weakness in ".com" is that the registrar, not only the registry, has to enforce this rule since the registry apparently only checks that the two domains are in the same registrar. So, if the security procedures of the registrar are unsound, one client of this registrar can attack another client of the same registrar. Choose your registrar carefully. (Or choose a TLD where control is per-holder, not per-registrar.) _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
