Mailinglist Archive: opensuse-security (375 mails)

< Previous Next >
Re: [suse-security] DNS
  • From: Steffen Dettmer <steffen@xxxxxxx>
  • Date: Thu, 12 Sep 2002 09:43:43 +0200
  • Message-id: <20020912094342.J4954@xxxxxxxxx>
* Michael Zimmermann wrote on Wed, Sep 11, 2002 at 10:45 +0200:
> At Mittwoch, 11. September 2002 10:14 Reckhard, Tobias wrote:
> > [about how to do reverse delegation for one's IP's]
> > Either you use the RFC 2317 muck to work around BIND's configuration file
> > problems with CIDR, introducing lots of ugly CNAMEs in the process.
>
> Pardon me, Tobias,
>
> you're saying, that there is a way to do reverse delegation WITHOUT
> either having the corresponding arpa zone delegated to you (either
> as a class-C delegation or a partial one through RFC2317) ?
>
> How?

He told, that it is possible to delegate each single IP address.

> That would mean you could (howsoever ugly) go around the
> arpa authoritative nameserver for the class-C subnet --

No, you cannot, noone would ask your server. Well, but you *can*
insert faked data without any problems, but you'd need some
poisioning to spread it. Or if you have control over some
forwarders, you can put the zones here, and the forwarder would
sent "your" responses.

> which would be certainly security related in my version of
> the DNS bible.

DNS is not made for security!

oki,

Steffen

--
Dieses Schreiben wurde maschinell erstellt,
es trägt daher weder Unterschrift noch Siegel.

< Previous Next >