[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DNSEXT WGLC: IPv6 Name Auto Registration

To: namedroppers@ops.ietf.org
Subject: Re: DNSEXT WGLC: IPv6 Name Auto Registration
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date: Fri, 07 Feb 2003 20:02:47 -0500
In-reply-to: Your message of "Thu, 06 Feb 2003 20:22:15 CST." <F96A52C6-3A42-11D7-A2AE-00039367340A@nominum.com>

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Ted" == Ted Lemon <Ted.Lemon@nominum.com> writes:
    >>> Sorry, misuse of terminology.  It sends an update to the reverse
    >>> server signed in the private half of the SIG key from its forward
    >>> FQDN.  The reverse server has to know to do step 6 to validate the
    >>> update.
    >> because my laptop has a relationship to the server for psg.com, and
    >> can put something kinky into the forward name should not mean that the
    >> owner of the reverse zone should trust the data in the forward zone or
    >> that the laptop asserts.  is the attack not pretty obvious?

    Ted> It was a rough outline.  Obviously the checking the reverse server
    Ted> has to do to make it work is more than what I said, but it's totally
    Ted> doable.  The validation I described prevents a random host on the
    Ted> network from trivially stuffing the DNS server with bogus PTR
    Ted> records.  You could do an additional validation where if someone
    Ted> wants to stuff a new valid into an old PTR record, the DNS server
    Ted> looks to see if the old FQDN in that PTR record still points back to
    Ted> the address referred to by the PTR record, and if it does, refuses
    Ted> the update.  This prevents PTR record stealing.

  Maybe. I'm not convinced that the failure cases are tractable, or can
easily be dealt with. 

    Ted> Obviously this assumes that the DNS server for the zone in question
    Ted> is willing to have arbitrary clients establish PTR records.  I can

  It would a lot easier if a machine on the local LAN can control things to
a finer degree. A lot easier to deal with the trust relationships. It
provides a clearly local place to put administrative overrides, and to clear
up confusion. Such a machine can much more clearly check reachability of the
"client".

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
  

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBPkRXNoqHRg3pndX9AQHUiAQAvpzDUeMsQOLeQgvtFPhaneJ+zBgnlYXS
lcmppEfNlbc7G0Igl3AKtaIucYvwixqPH3EcpVYHchc0Jz2scDCOWK4FcVhxB9YD
LrZr8HVM3YEZXFfVtNWypgoQ7UFD7s18TCNJzchAEhiEcyRFR7z9P4CB71cA3/qM
XfgXmpCGRYg=
=Haq4
-----END PGP SIGNATURE-----

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

References:
- Re: DNSEXT WGLC: IPv6 Name Auto Registration
  - From: Ted Lemon <Ted.Lemon@nominum.com>

Prev by Date: Re: DNSEXT WGLC: IPv6 Name Auto Registration
Next by Date: DNSSEC editing process (Periodic posting)
Previous by thread: Re: DNSEXT WGLC: IPv6 Name Auto Registration
Next by thread: Re: DNSEXT WGLC: IPv6 Name Auto Registration
Index(es):
- Date
- Thread