Re: The out-of-domain NS registration attack

[cmadams () HIWAAY NET (Chris Adams)]

Once upon a time, Sanford Whiteman <sanford.whiteman () INTERNAL CONVEY COM> said:
> Dave, you are certainly correct.  We just performed a giant name server
> migration and can verify that NSI's database has dual primary keys, or
> what-have-you, that prevent the attack.  A name server's IP address can only
> be associated with one NIC handle...once you bind a hostname to the IP, the
> hostname is bound to the NIC handle as well.  The only way to change this
> information is to be the contact for the name server's domain.  No one else
> can duplicate either of the keys.

What you are missing is this: if a domain has name servers that do NOT
exist in the root server list, they can be changed.  The original
example of hotmail.com was a good one.

hotmail.com.            12m40s IN NS    ns3.hotmail.com.
hotmail.com.            12m40s IN NS    ns1.jsnet.com.
hotmail.com.            12m40s IN NS    ns1.hotmail.com.

ns1.jsnet.com is not a registered name server, so you could try to
register an IP address for it other than its real address.

Now, if NetSol (and all of the registrars) restrict registration of a
name server to the technical/zone contacts for the domain (jsnet.com in
the above case), you _should_ still be okay.

--
Chris Adams <cmadams () hiwaay net>
Systems and Network Administrator - HiWAAY Information Services
I don't speak for anybody but myself - that's enough trouble.