OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: The out-of-domain NS registration attack
From: Chris Adams (cmadamsHIWAAY.NET)
Date: Mon Mar 20 2000 - 10:10:59 CST

Once upon a time, Sanford Whiteman <sanford.whitemanINTERNAL.CONVEY.COM> said:
> Dave, you are certainly correct. We just performed a giant name server
> migration and can verify that NSI's database has dual primary keys, or
> what-have-you, that prevent the attack. A name server's IP address can only
> be associated with one NIC handle...once you bind a hostname to the IP, the
> hostname is bound to the NIC handle as well. The only way to change this
> information is to be the contact for the name server's domain. No one else
> can duplicate either of the keys.

What you are missing is this: if a domain has name servers that do NOT
exist in the root server list, they can be changed. The original
example of hotmail.com was a good one.

hotmail.com. 12m40s IN NS ns3.hotmail.com.
hotmail.com. 12m40s IN NS ns1.jsnet.com.
hotmail.com. 12m40s IN NS ns1.hotmail.com.

ns1.jsnet.com is not a registered name server, so you could try to
register an IP address for it other than its real address.

Now, if NetSol (and all of the registrars) restrict registration of a
name server to the technical/zone contacts for the domain (jsnet.com in
the above case), you _should_ still be okay. 

--
Chris Adams <cmadamshiwaay.net>
Systems and Network Administrator - HiWAAY Information Services
I don't speak for anybody but myself - that's enough trouble.