RFC 1535 (rfc1535) - Page 2 of 5


A Security Problem and Proposed Correction With Widely Deployed DNS Software



Alternative Format: Original Text Document



RFC 1535               DNS Software Enhancements            October 1993


   The resolver client will realize that since "UnivHost.University.EDU"
   does not end with a ".", it is not an absolute "rooted" FQDN.  It
   will then try the following combinations until a resource record is
   found:

                UnivHost.University.EDU.Tech.ACES.COM.
                UnivHost.University.EDU.ACES.COM.
                UnivHost.University.EDU.COM.
                UnivHost.University.EDU.

Security Issue

   After registering the EDU.COM domain, it was discovered that an
   unliberal application of one wildcard CNAME record would cause *all*
   connects from any .COM site to any .EDU site to terminate at one
   target machine in the private edu.com sub-domain.

   Further, discussion reveals that specific hostnames registered in
   this private subdomain, or any similarly named subdomain may be used
   to spoof a host.

        Example:        harvard.edu.com.        CNAME   targethost

   Thus all connects to Harvard.edu from all .com sites would end up at
   targthost, a machine which could provide a Harvard.edu login banner.

   This is clearly unacceptable.  Further, it could only be made worse
   with domains like COM.EDU, MIL.GOV, GOV.COM, etc.

Public vs. Local Name Space Administration

   The specification of the Domain Name System and the software that
   implements it provides an undifferentiated hierarchy which permits
   delegation of administration for subordinate portions of the name
   space.  Actual administration of the name space is divided between
   "public" and "local" portions.  Public administration pertains to all
   top-level domains, such as .COM and .EDU.  For some domains, it also
   pertains to some number of sub-domain levels.  The multi-level nature
   of the public administration is most evident for top-level domains
   for countries.  For example in the Fully Qualified Domain Name,
   dbc.mtview.ca.us., the portion "mtview.ca.us" represents three levels
   of public administration.  Only the left-most portion is subject to
   local administration.








Gavron