<all the standard disclaimers> Those whom I'm speaking to know the security and routing vulnerabilities associated with name resolution. (others, some background: http://citeseer.nj.nec.com/schuba93addressing.html , http://citeseer.nj.nec.com/lioy00dns.html) Anyway, I wish I were providing solutions or even offering new information. Instead, I'm looking for some insight. It has come to my attention that some ISPs and most web-hosting companies I've researched allow their customers to freely configure their forward and reverse DNS through some sort of interface or ticket submission, neither of which goes through any sort of validation. This not only poses a serious security risk to their customers, but to any domain one of their customers choose to hi-jack. The argument of these companies is "there is not real validation process available" that "registrars list disclaimers with their whois information [that it may not be valid]" and "the hundreds of changes and discrepancies reported [each month] would cost too much administratively". While I see the validity in their arguments, I cannot help but to shutter at the possible repercussions of giving into such obstacles. Is it so impossible to implement an authentication process that could be script automated--at least weeding out all but the most dedicated poisoner? I've toyed around with a couple solutions I would like some input from "the inspired" before I attempt to publish anything. (And, props to Vixie for his work continuous work on Bind and those engineers collaborating on DNSSEC) j
participants (1)
-
jnull