mailing list archives
Re: The out-of-domain NS registration attack
From: djb () CR YP TO (D. J. Bernstein)
Date: Mon, 20 Mar 2000 12:20:36 -0000
dgover () cindy hol gr writes:
When you specify ns1.jsnet.com as an NS for
your domain, the IP address NSI already holds for this hostname is used.
As I said before, NSI isn't holding an IP address for this name.
On the other hand, as David Terrell pointed out, NSI won't accept
ns1.jsnet.com host information except from the jsnet.com contact, so my
example does not work as stated.
NSI will still accept host information outside *.com, *.net, and *.org;
I've registered crypto.gov, for example, as you can see from whois.
Fortunately, NSI has stopped providing glue for NS names of this type.
So my current impression is that NSI is immune to this attack.
However, at least two country TLDs are vulnerable. A simple solution, as
described in my previous message, is for the registries to automatically
replace out-of-domain NS names with in-domain NS names. I categorically
recommend this strategy for all new registries.
Furthermore, NSI's host-registration process still allows massive abuse.
An attacker can register host names under all the IP addresses for a
newly assigned network, preventing the legitimate users from setting up
their own name servers. A bunch of attackers doing this for fun could
cause endless hassle for NSI and its new registrants. Fix: Scrap the
bogus requirement that different names have different IP addresses.