[afrinic-discuss] Security hole in the procedure? (Was: Afrinic and
the reverse delegation
Stephane Bortzmeyer
bortzmeyer at nic.fr
Wed Apr 13 09:58:56 SAST 2005
On Tue, Apr 12, 2005 at 11:41:16AM +0200,
Ernest Byaruhanga <ernest at afrinic.net> wrote
a message of 16 lines which said:
> >Do you mean the actual delegation will take place, if I pass
> >authentication?
>
> yes!
Well, I did nothing (and specially not fixed the authentication since
I'm not the Sotelma) and the domain was nevertheless delegated this
night.
~ % dig @ns-pri.ripe.net NS 96.64.217.in-addr.arpa
; <<>> DiG 9.2.4 <<>> @ns-pri.ripe.net NS 96.64.217.in-addr.arpa
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1091
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 0
;; QUESTION SECTION:
;96.64.217.in-addr.arpa. IN NS
;; AUTHORITY SECTION:
96.64.217.in-addr.arpa. 172800 IN NS ciwara.sotelma.ml.
96.64.217.in-addr.arpa. 172800 IN NS dogon.sotelma.ml.
I assume some sort of cron-driven job found the domain object and
added it to the zone. This is technically fine but it seems a serious
security hole in Afrinic: I was able to delegate an in-addr.arpa
without any authority on the inetnum and without being a LIR.
More information about the afrinic-announce
mailing list