Re: DNSEXT WGLC: IPv6 Name Auto Registration

[Derek Atkins <derek@ihtfp.com>]

Ted Lemon <Ted.Lemon@nominum.com> writes:

> You could do an additional validation where if someone wants to stuff
> a new valid into an old PTR record, the DNS server looks to see if the
> old FQDN in that PTR record still points back to the address referred
> to by the PTR record, and if it does, refuses the update.   This
> prevents PTR record stealing.
> 
> Is there some other attack I'm not thinking of here?

I rightfully grab an address and go through the process.  Then I go
offnet without removing my forward pointer.  My "lease" expires.  The
next person who happens to get my address can no longer get the PTR
entry because the old (stale) forward entry is still there.

> Obviously this assumes that the DNS server for the zone in question is
> willing to have arbitrary clients establish PTR records.   I can
> imagine a variety of administrative policies, from "allow all domains"
> to "allow only this set of domains" to "allow only my domain" to
> "allow no PTR updates at all."

-derek

-- 
       Derek Atkins
       Computer and Internet Security Consultant
       derek@ihtfp.com             www.ihtfp.com

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>