RFC 1535 (rfc1535) - Page 3 of 5
A Security Problem and Proposed Correction With Widely Deployed DNS Software
Alternative Format: Original Text Document
RFC 1535 DNS Software Enhancements October 1993
The danger of the heuristic search common in current practise is that
it it is possible to "intercept" the search by matching against an
unintended value while walking up the search list. While this is
potentially dangerous at any level, it is entirely unacceptable when
the error impacts users outside of a local administration.
When attempting to resolve a partial domain name, DNS resolvers use
the Domain Name of the searching host for deriving the search list.
Existing DNS resolvers do not distinguish the portion of that name
which is in the locally administered scope from the part that is
publically administered.
Solution(s)
At a minimum, DNS resolvers must honor the BOUNDARY between local and
public administration, by limiting any search lists to locally-
administered portions of the Domain Name space. This requires a
parameter which shows the scope of the name space controlled by the
local administrator.
This would permit progressive searches from the most qualified to
less qualified up through the locally controlled domain, but not
beyond.
For example, if the local user were trying to reach:
from
starburst,astro.DESERTU.EDU,
it is reasonable to permit the user to enter just chief.admin, and
for the search to cover:
chief.admin.astro.DESERTU.EDU
chief.admin.DESERTU.EDU
but not
chief.admin.EDU
In this case, the value of "search" should be set to "DESERTU.EDU"
because that's the scope of the name space controlled by the local
DNS administrator.
This is more than a mere optimization hack. The local administrator
has control over the assignment of names within the locally
administered domain, so the administrator can make sure that
abbreviations result in the right thing. Outside of the local
control, users are necessarily at risk.
Gavron