Conflicting glue records?
Stephane Bortzmeyer
bortzmeyer at nic.fr
Mon Jan 19 13:22:11 UTC 2009
On Thu, Jan 08, 2009 at 02:46:44AM -0800,
Milo Hyson <milo at cyberlifelabs.com> wrote
a message of 127 lines which said:
> stale glue records for our name-servers that appear to be coming
> from a domain we host that is owned by someone else.
I don't really like to work on hypothetical situations. Either you
post the relevant domain name, or I would not believe you.
> This raises a scary question. If this is really an undefined
> situation, could it be used as an attack vector? Although our
> particular situation involves no component of fraud, what is to stop
> someone from registering a domain and listing our server name with a
> bogus IP?
For someone to "register a domain and listing our server name with a
bogus IP", the registry has to be incredibly careless (and, as Matthew
Pounsett mentioned, with EPP, it would be impossible). A registry must
not accept to register host records for domains outside of the
client's control. Otherwise, it would indeed be an attack vector.
A weakness in ".com" is that the registrar, not only the registry, has
to enforce this rule since the registry apparently only checks that
the two domains are in the same registrar. So, if the security
procedures of the registrar are unsound, one client of this registrar
can attack another client of the same registrar. Choose your registrar
carefully. (Or choose a TLD where control is per-holder, not
per-registrar.)
More information about the bind-users
mailing list