WARNING: AOL is hosed (again)

James_Rishaw · October 16, 1998, 8:11pm

Mike Leber wrote:

> Yep, somebody modified the delegation via a forged domain
> modification email. An emergency root server update has been done to
> correct the problem.

Isn't an acknowlegement required with the correct tracking number?

If yes, were acknowlegement(s) also forged with guessed tracking numbers?

If yes to my second question, then the tracking numbers either need to be
made much longer and randomized or a one time pass phrase (session key)
needs to be added to the acknowlegement form.

You can actually set a domain name so that it cannot be changed, by
any template, by any modification, correct guardian or NOT.

I would ass-u-me AOL did this, but obviously their DNS admins aren't
clued enough to figure this one out.

Tiem to hire people that know *all* of what they're supposed to do, not
just what they read out of an ORA book.

Gah.

Michael_Handler1 · October 16, 1998, 8:51pm

James Rishaw <jamie@dilbert.ais.net> writes:

You can actually set a domain name so that it cannot be changed, by
any template, by any modification, correct guardian or NOT.
I would ass-u-me AOL did this, but obviously their DNS admins aren't
clued enough to figure this one out.
Tiem to hire people that know *all* of what they're supposed to do, not
just what they read out of an ORA book.

Um, as anyone who's dealt with NSI on a non-casual level can tell you,
it's entirely possible that AOL had Guardian set up to disallow any
changes, as well as having the domain ``locked'' against any email changes
at all, and still have an unauthorized change occur. This is *not* the
first time a service-interrupting unauthorized DNS change (deliberate
or accidental) has slipped through NSI, though this is almost definitely
the biggest network to be affected.

And, two years later, the BEFORE-USE Guardian attribute *still*
doesn't work, natch.

ObUsefulInformation:

zone "aol.com" {
        type stub;
        file "zones/stub-aol.com";
        masters {
                152.163.200.52;
                152.163.200.116;
        };
};

[ Only works in BIND 8, but why are you still running 4.9.* anyway?
You can't put this into IOS, but you can put this into the nameservers
that your router uses... ]

Roeland_M.J_Meyer · October 16, 1998, 10:22pm

Because we haven't had the time to learn how to do the GRS stuff in
BIND8.<grin>