[afrinic-discuss] Security hole in the procedure? (Was: Afrinic and the reverse delegation

Ernest Byaruhanga ernest at afrinic.net
Wed Apr 13 11:18:49 SAST 2005


hi Stephane,

Thanks - we'll look at this asap.

regards,
ernest

Stephane Bortzmeyer wrote:
> On Tue, Apr 12, 2005 at 11:41:16AM +0200,
>  Ernest Byaruhanga <ernest at afrinic.net> wrote
>  a message of 16 lines which said:
>
>
>>>Do you mean the actual delegation will take place, if I pass
>>>authentication?
>>
>>yes!
>
>
> Well, I did nothing (and specially not fixed the authentication since
> I'm not the Sotelma) and the domain was nevertheless delegated this
> night.
>
> ~ % dig @ns-pri.ripe.net NS 96.64.217.in-addr.arpa
>
> ; <<>> DiG 9.2.4 <<>> @ns-pri.ripe.net NS 96.64.217.in-addr.arpa
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1091
> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;96.64.217.in-addr.arpa.                IN      NS
>
> ;; AUTHORITY SECTION:
> 96.64.217.in-addr.arpa. 172800  IN      NS      ciwara.sotelma.ml.
> 96.64.217.in-addr.arpa. 172800  IN      NS      dogon.sotelma.ml.
>
> I assume some sort of cron-driven job found the domain object and
> added it to the zone. This is technically fine but it seems a serious
> security hole in Afrinic: I was able to delegate an in-addr.arpa
> without any authority on the inetnum and without being a LIR.
>
> _______________________________________________
> afrinic-discuss mailing list
> afrinic-discuss at afrinic.net
> http://lists.afrinic.net/mailman/listinfo.cgi/afrinic-discuss
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 392 bytes
Desc: OpenPGP digital signature
Url : https://lists.afrinic.net/pipermail/announce/attachments/20050413/5fb2a973/signature.bin


More information about the afrinic-announce mailing list