Re: food for thought -- root zone exposures

[Valdis.Kletnieks () vt edu]

On Thu, 26 Jun 2003 23:25:06 EDT, Len Rose <len () netsys com>  said:

> http://www.ietf.org/internet-drafts/draft-ietf-dnsop-bad-dns-res-01.txt
>
>
> At the risk of appearing somewhat jaundiced, I'll bet someone
> that it's an M$ nameserver implementation that they're
> referring to.

Section 3 (client) is a combination of NAT, poor configuration on the ISP's part,
and MS's ActiveDirectory.  The basic scenario is that you get a Windows box
that gets DHCP'ed with an RFC1918 space, and it tries to register itself.   The local
DNS doesn't know squat about the space because it's misconfigued, so the client
walks up the tree.  The ISP fails to do ingress filtering, and things go pear-shaped quickly.

And it's worse than that I-D says - see this for a hint HOW bad:

http://www.nanog.org/mtg-0210/wessels.html

Attachment: _bin
Description: