Novel task for DNS.

[Michael Kjorling]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Please read my ENTIRE post before taking ANY action. I take absolutely
no responsibility whatsoever for the actions of others, so to the
other readers of this list/newsgroup I say: do not hold me responsible
for whatever the result of this is. Instead, ask those who take the
actions to explain them.

This _should_ not be done. One person did this with the .com gTLD a
while back and got into quite a bit of trouble for that. (Search for
the key words 'warren', 'wildcard' and 'com' and you will probably
see what I mean.)

That said, you might want to have a look at defining your own root
zone and using wildcard records. And for Heaven's sake, set the TTL to
ZERO!!! Yes, that's right, zero, nada, null, 0.

But if you are directing those people to a 'sandbox' box anyway, why
not put a firewall right after it denying any traffic going anywhere
else than the absolutely required servers? (That is, those who handle
user accounts.)

The advantage would be that people can't use IP addresses in order to
bypass the limitations, and you don't risk polluting other people's
carefully crafted namespace. Plus, you don't expose that box to any
unnecessary risks.


Michael Kjörling


On Jul 31 2001 17:03 +0100, William Noad wrote:

> Greetings DNS Gurus,
>
> I have what may sound like a strnage requirement, so I'll give you the
> background first.
>
> I work for ntl, a major UK ISP.  One of our future products will include
> user accounts that can `expire', requiring the user to re-register (to
> some degree) to reactivate the account.  We can (apparently) set up RADIUS
> on the modem racks such that anyone whose account has expired gets put
> into a specially constructed sandbox, from which they either re-register
> or logout.  To ensure the user hits the re-registration system we want to
> set up a DNS server within the sandbox that resolves /any/ domain name to
> the IP address of the re-registration server.
>
> I think that this should be possible using BIND configuration files, but
> the timescales I have been given preclude (sadly) carrying out all the
> research myself.
>
> Has anyone else set up something similar using BIND? Or can someone
> categorically say `that can't be done'.
>
> Hope you can help.
>
> TIA
> 	William Noad

- -- 
Michael Kjörling - michael at kjorling.com - PGP: 8A70E33E
Manager Wolf.COM -- Programmer -- Network Administrator
"We must be the change we wish to see" (Mahatma Gandhi)

^..^     Support the wolves in Norway -- go to     ^..^
 \/   http://home.no.net/ulvelist/protest_int.htm   \/

***** Please only send me emails which concern me *****



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7Zud6KqN7/Ypw4z4RAlAKAJ9ztNqGdB/a0wmT97jm5ZYiOWqmogCcDJkD
2hrNkHwclbuKZ7snvd2XjUU=
=p5JM
-----END PGP SIGNATURE-----