Just for those who aren't aware yet, all your mail to aol.com is about to bounce. sprunk@pegasus:~> host -t ns aol.com c.root-servers.net Using domain server: Name: c.root-servers.net Address: 192.33.4.12 Aliases: aol.com name server DNS2.AUTONET.NET aol.com name server DNS1.AUTONET.NET sprunk@pegasus:~> host -t mx aol.com dns.autonet.net Error in looking up server name: Host not found. -- | | Stephen Sprunk, KD5DWP, CCIE #3723 :|: :|: NSA, Network Consulting Engineer :|||: :|||: 14875 Landmark Blvd #400; Dallas, TX .:|||||||:..:|||||||:. Pager: 800-365-4578 / 800-901-6078 C I S C O S Y S T E M S Email: ssprunk@cisco.com
Yep, somebody modified the delegation via a forged domain modification email. An emergency root server update has been done to correct the problem. Meanwhile, DNS1 and DNS2.AUTONET.NET are going to temporarily act authoritatively for AOL.COM until the ttl expires. On 16 Oct 98, at 13:01, Stephen Sprunk wrote:
Just for those who aren't aware yet, all your mail to aol.com is about to bounce.
sprunk@pegasus:~> host -t ns aol.com c.root-servers.net Using domain server: Name: c.root-servers.net Address: 192.33.4.12 Aliases:
aol.com name server DNS2.AUTONET.NET aol.com name server DNS1.AUTONET.NET
sprunk@pegasus:~> host -t mx aol.com dns.autonet.net Error in looking up server name: Host not found.
-- | | Stephen Sprunk, KD5DWP, CCIE #3723 :|: :|: NSA, Network Consulting Engineer :|||: :|||: 14875 Landmark Blvd #400; Dallas, TX .:|||||||:..:|||||||:. Pager: 800-365-4578 / 800-901-6078 C I S C O S Y S T E M S Email: ssprunk@cisco.com
Mark Borchers Network Engineering Dept. Network Two Communications Group
On Fri, 16 Oct 1998, Mark Borchers wrote:
Yep, somebody modified the delegation via a forged domain modification email. An emergency root server update has been done to correct the problem.
Isn't an acknowlegement required with the correct tracking number? If yes, were acknowlegement(s) also forged with guessed tracking numbers? If yes to my second question, then the tracking numbers either need to be made much longer and randomized or a one time pass phrase (session key) needs to be added to the acknowlegement form. Mike. +------------------- H U R R I C A N E - E L E C T R I C -------------------+ | Mike Leber Direct Internet Connections Voice 408 282 1540 | | Hurricane Electric Web Hosting & Co-location Fax 408 971 3340 | | mleber@he.net http://www.he.net | +---------------------------------------------------------------------------+
Mike Leber wrote:
On Fri, 16 Oct 1998, Mark Borchers wrote:
Yep, somebody modified the delegation via a forged domain modification email. An emergency root server update has been done to correct the problem.
Isn't an acknowlegement required with the correct tracking number?
If yes, were acknowlegement(s) also forged with guessed tracking numbers?
If yes to my second question, then the tracking numbers either need to be made much longer and randomized or a one time pass phrase (session key) needs to be added to the acknowlegement form.
You can actually set a domain name so that it cannot be changed, by any template, by any modification, correct guardian or NOT. I would ass-u-me AOL did this, but obviously their DNS admins aren't clued enough to figure this one out. Tiem to hire people that know *all* of what they're supposed to do, not just what they read out of an ORA book. Gah. -- jamie rishaw (efnet:gavroche) American Information Systems, Inc. Tel:312.425.7140, FAX:312.425.7240 -- Your silence will NOT protect you. -- "Did they just ask Don King to come to the lobby?!" - davidr
If yes to my second question, then the tracking numbers either need to be made much longer and randomized or a one time pass phrase (session key) needs to be added to the acknowlegement form.
You can actually set a domain name so that it cannot be changed, by any template, by any modification, correct guardian or NOT.
Sounds like a nonreversible setting to me. What if you need to change it? Anyway, I think that by default, the update goes through automatically, a positive acknoledgement is ignored (default behaviour) and a negative acknowledgement is honored. (Which means AOL should have been able to stop it). Then there is the setting where the update will not go through by default, and a positive acknowledgement is required. As to whether it all works as advertized (and PGP auth too?), who knows? -Phil
Phillip Vandry wrote:
If yes to my second question, then the tracking numbers either need to be made much longer and randomized or a one time pass phrase (session key) needs to be added to the acknowlegement form.
You can actually set a domain name so that it cannot be changed, by any template, by any modification, correct guardian or NOT.
Sounds like a nonreversible setting to me. What if you need to change it?
You call InterNIC and talk to who you got to set it in the first place. This is for reeaally high profile things, not like "bobsfish.com".
Anyway, I think that by default, the update goes through automatically, a positive acknoledgement is ignored (default behaviour) and a negative acknowledgement is honored. (Which means AOL should have been able to stop it).
That Takes clues .. :) -- jamie rishaw (efnet:gavroche) American Information Systems, Inc. Tel:312.425.7140, FAX:312.425.7240 -- Your silence will NOT protect you. -- "Did they just ask Don King to come to the lobby?!" - davidr
Of course, these measures can only help but so much if your hostmaster blindly acks every peice of NIC mail that comes his way... --------------------------------------------------------------------------- Blake Willis 703-448-4470x483 Network Engineer, New Customers blakew@cais.net CAIS Internet, a CGX Communications Company --------------------------------------------------------------------------- On Fri, 16 Oct 1998, Phillip Vandry wrote:
If yes to my second question, then the tracking numbers either need to be made much longer and randomized or a one time pass phrase (session key) needs to be added to the acknowlegement form.
You can actually set a domain name so that it cannot be changed, by any template, by any modification, correct guardian or NOT.
Sounds like a nonreversible setting to me. What if you need to change it?
Anyway, I think that by default, the update goes through automatically, a positive acknoledgement is ignored (default behaviour) and a negative acknowledgement is honored. (Which means AOL should have been able to stop it).
Then there is the setting where the update will not go through by default, and a positive acknowledgement is required.
As to whether it all works as advertized (and PGP auth too?), who knows?
-Phil
James Rishaw <jamie@dilbert.ais.net> writes:
You can actually set a domain name so that it cannot be changed, by any template, by any modification, correct guardian or NOT. I would ass-u-me AOL did this, but obviously their DNS admins aren't clued enough to figure this one out. Tiem to hire people that know *all* of what they're supposed to do, not just what they read out of an ORA book.
Um, as anyone who's dealt with NSI on a non-casual level can tell you, it's entirely possible that AOL had Guardian set up to disallow any changes, as well as having the domain ``locked'' against any email changes at all, and still have an unauthorized change occur. This is *not* the first time a service-interrupting unauthorized DNS change (deliberate or accidental) has slipped through NSI, though this is almost definitely the biggest network to be affected. And, two years later, the BEFORE-USE Guardian attribute *still* doesn't work, natch. ObUsefulInformation: zone "aol.com" { type stub; file "zones/stub-aol.com"; masters { 152.163.200.52; 152.163.200.116; }; }; [ Only works in BIND 8, but why are you still running 4.9.* anyway? You can't put this into IOS, but you can put this into the nameservers that your router uses... :) ]
At 04:51 PM 10/16/98 -0400, Michael Handler wrote:
[ Only works in BIND 8, but why are you still running 4.9.* anyway? You can't put this into IOS, but you can put this into the nameservers that your router uses... :) ]
Because we haven't had the time to learn how to do the GRS stuff in BIND8.<grin> ___________________________________________________ Roeland M.J. Meyer, ISOC (InterNIC RM993) e-mail: <mailto:rmeyer@mhsc.com>rmeyer@mhsc.com Internet phone: hawk.mhsc.com Personal web pages: <http://www.mhsc.com/~rmeyer>www.mhsc.com/~rmeyer Company web-site: <http://www.mhsc.com/>www.mhsc.com/ ___________________________________________ I bet the human brain is a kludge. -- Marvin Minsky
Yo Mark! On Fri, 16 Oct 1998, Mark Borchers wrote:
Yep, somebody modified the delegation via a forged domain modification email. An emergency root server update has been done to correct the problem. Gee, they never do that for me. :-)
RGDS GARY --------------------------------------------------------------------------- Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701 gem@rellim.com Tel:+1(541)383-2435
They didn't do it for us either. They did it for AOL. :-) Which really doesn't bother me too much. Some networks are definitely more equal than others, especially those with 10 million users.
Yo Mark!
On Fri, 16 Oct 1998, Mark Borchers wrote:
Yep, somebody modified the delegation via a forged domain modification email. An emergency root server update has been done to correct the problem. Gee, they never do that for me. :-)
RGDS GARY --------------------------------------------------------------------------- Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701 gem@rellim.com Tel:+1(541)383-2435
participants (9)
-
Blake Willis
-
Gary E. Miller
-
jamie@dilbert.ais.net
-
Mark Borchers
-
Michael Handler
-
Mike Leber
-
Phillip Vandry
-
Roeland M.J. Meyer
-
Stephen Sprunk