[Gllug] speaking of DNS server setups...
Nix
nix at esperi.org.uk
Wed Jan 5 22:55:59 UTC 2005
On Wed, 05 Jan 2005, Mike Brodbelt prattled cheerily:
> Yes, you can do all the above. For a memorable example of the use of
> wildcard records, think of Verisign's sitefinder "service". They should
> be used only after careful thought though - they cause many problems,
> usually due to the implementor not fully considering what the resolver
> actually does when you search for a non-fully qualified name. From RFC
> 1912:-
>
> ===================================================================
> Wildcard As and CNAMEs are possible too, and are really confusing to
> users, and a potential nightmare if used without thinking first. It
> could result (due again to domain searching) in any telnet/ftp attempts
> from within the domain to unknown hosts to be directed to one address.
> One such wildcard CNAME (in *.edu.com) caused Internet-wide loss of
> services and potential security nightmares due to unexpected
> interactions with domain searching. It resulted in swift fixes, and even
> an RFC ([RFC1535]) documenting the problem.
> ===================================================================
[reads 1535]
AUGH! What a nasty side-effect.
As I read it, the problem there wasn't what we now consider implicit
search, though: it was a completely implicit search, done without a
`search' option in resolv.conf or anything, which would happily append
things like .co.uk and .uk and suchlike things to the ends of domain
names.
--
`The sword we forged has turned upon us
Only now, at the end of all things do we see
The lamp-bearer dies; only the lamp burns on.'
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list