Dynamic DNS

Kevin Darcy kcd at daimlerchrysler.com
Tue Feb 6 00:33:53 UTC 2001 

Pierre Léonard wrote:

> Hi Kevin,
>
> And thank you for your answer.
> My english is relatevely poor, so don't hesitate to stop me If I missunderstand.
>
> > To provide redundancy for a zone to the world in general, practically speaking a slave must have a statically-assigned address. If you were to use a
> > registered slave with a dynamically-assigned address, it would not only harm your redundancy, but also your security, since if someone were to get the
> > former address of your nameserver assigned to their server before all of the old A records expired from everyone's caches, they could conceivably hijack
> > your domain temporarily. Do you implicitly trust *everyone* in your dynamic address pool?
>
>  I read the RFC concerning the TSIG and Dynamic update, and I understand that the transactions and in conséquence the use are secure.

Yes, TSIG can be used to authenticate Dynamic Updates coming from clients. The kind of "hijacking" I was referring to was not Dynamic Update spoofing, but
masquerading as the nameserver for your domain on an old-but-still-cached dynamically-assigned address. Short of DNSSEC, nameservers currently have no way to
authenticate responses coming from other nameservers on the Net other than simply trusting the source address of the response. So if someone gets your old
address and wants to spoof your domain, everyone else will believe them. Hence, "hijacking".

> You mean that the usage of dynamic IP is an open door for masquerading. Someone can  use my future address and install services before me.  But I understand
> that the probleme occurs whatever the service behind, http, mail or DNS.
> Is that correct ?

The difference is one of scale. If someone hijacks the address of your HTTP or SMTP server, i.e. a "leaf" node, they get the opportunity to intercept your web
and/or mail traffic for a variable amount of time, which you can control somewhat by tuning your TTL values. If they hijack the address of your NS, however --
a "branch" node -- then they can run a nameserver which advertises any NS list they want for your domain (including perhaps addresses of otherr servers under
their control!) with a large TTL, and everyone will keep going back to those nameservers for information about your domain, instead of your nameservers. So
instead of a hijack of mere minutes or hours, for only *some* of the names in your domain, potentially they could hijack your *entire* domain for days or even
weeks. Which is a much bigger exposure.

                                                                                                                                                            -
Kevin

More information about the bind-users mailing list