Unsolicited Dynamic Updates (was Re: Win2K picking away at my named)

Kevin Darcy kcd at daimlerchrysler.com
Tue Mar 27 01:16:03 UTC 2001 

Mark.Andrews at nominum.com wrote:

> > Mark.Andrews at nominum.com wrote:
> > >
> > [snip]
> > >
> > >         Also there is a BCP in the works that should help eleviate this
> > >         problem once it is published and the relevent patches are installed
> > >         that implement this BCP.
> > >
> >
> > Is there a public draft available?
> >
> > With respect,
> > Jim
>
> http://www.ietf.org/internet-drafts/draft-esibov-dnsext-dynupdtld-00.txt
> + extensions to handle non tld/roots.  The next draft will be a
> dnsext working group item.
>
> The proposed extention is to look for _noupdate.<zone> TXT before
> attempting a update if you automatically locate the zone to be
> updated.  If it exists you abort the automatic update.  If you
> manually specify the zone to be updated then this test will not be
> done.

(Sorry, I know this is technically off-topic for this list, but this issue has
really gotten my goat.)The original Draft was a thinly-veiled CYA, and this new
extension is just a kludge on top of a thinly-veiled CYA. Best Current Practice is
for automatic Dynamic Updates to be turned OFF by default in any client software.
Period. End of sentence. *That* is the way any relevant BCP should be published.
Let's not obfuscate the problem, and the solution, with an asinine TXT-record
"cookie" "opt-out" scheme that puts the primary burden for a *client*
configuration problem on *server* operators.

On a parallel track, if the situation gets much worse, I'll be reporting all of
these unauthorized Dynamic Update attempts to the FBI as hacking activity, which
I believe is a fair description, i.e. unauthorized attempts to remotely manipulate
data -- at the very least, all of this Dynamic Update noise works to obscure
"real" hacking activity and thus lowers overall security. We'll see how much
software you-know-who sells if they have to put a conspicuous label on each
distribution CD that reads: "WARNING: use of this software with its default
settings may subject you to criminal prosecution and/or civil penalties"....


- Kevin

More information about the bind-users mailing list