On Fri, 29 Jan 2016 11:52:11 -0500 James Cloos <[email protected]> wrote:
> >>>>> "FB" == Frederik Braun <[email protected]> writes: > > FB> I'm concerned that everyone having to update their blacklists[1] > FB> will lead to more trouble. > > They really all ought to forbid any label which start with an > underscore. Agreed. Underscores are not allowed in hostnames, so dynamic DNS services should not allow registration of such names (I don't even understand why they would allow TXT records). If they do allow registration of arbitrary TXT records for names starting with underscores, then they are also allowing attackers to set arbitrary DKIM and DMARC records for their domain, and probably inflict other damage. The dynamic DNS service in question[1] also claims support for SRV records, so there's a good chance they're also allowing attackers to hijack various services for their domain. I consider this similar to (but less likely than) web hosts allowing user uploads to the /.well-known directory. Operators ought to know better, and while there's a risk that some won't, it's a risk that has to be tolerated if DV is to exist at all. Andrew [1] https://freedns.afraid.org/ _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
