[dhcwg] Re: draft-aboba-dhc-domsearch-08.txt
Bernard Aboba <aboba@internaut.com> Wed, 09 January 2002 00:01 UTC
Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id TAA14534 for <dhcwg-archive@odin.ietf.org>; Tue, 8 Jan 2002 19:01:19 -0500 (EST)
Received: (from daemon@localhost) by optimus.ietf.org (8.9.1a/8.9.1) id TAA29064 for dhcwg-archive@odin.ietf.org; Tue, 8 Jan 2002 19:01:16 -0500 (EST)
Received: from optimus.ietf.org (localhost [127.0.0.1]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id SAA28559; Tue, 8 Jan 2002 18:50:47 -0500 (EST)
Received: from ietf.org (odin [132.151.1.176]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id SAA28530 for <dhcwg@optimus.ietf.org>; Tue, 8 Jan 2002 18:50:43 -0500 (EST)
Received: from internaut.com ([64.38.134.99]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA14249 for <dhcwg@ietf.org>; Tue, 8 Jan 2002 18:50:38 -0500 (EST)
Received: from localhost (aboba@localhost) by internaut.com (8.9.3/8.9.3) with ESMTP id PAA79823; Tue, 8 Jan 2002 15:35:43 -0800 (PST) (envelope-from aboba@internaut.com)
Date: Tue, 08 Jan 2002 15:35:43 -0800
From: Bernard Aboba <aboba@internaut.com>
To: Thomas Narten <narten@us.ibm.com>
cc: dhcwg@ietf.org
In-Reply-To: <200201081643.g08GhE716312@rotala.raleigh.ibm.com>
Message-ID: <Pine.BSF.4.21.0201081532080.79818-100000@internaut.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Subject: [dhcwg] Re: draft-aboba-dhc-domsearch-08.txt
Sender: dhcwg-admin@ietf.org
Errors-To: dhcwg-admin@ietf.org
X-Mailman-Version: 1.0
Precedence: bulk
List-Id: <dhcwg.ietf.org>
X-BeenThere: dhcwg@ietf.org
> Please make the document clear on this point. OK. > 2) The security recommendation for avoiding hijack seems to seems to > be equivalent to saying don't use the option if you want to be > secure: > > > To avert this attack, where DNS parameters such as the domain searchlist > > have been manually configured, these parameters SHOULD NOT be overridden > > by DHCP. > > If I am open to receiving the option, I'll take a searchlist that > sends my mail for humanresources.myorg.com to > humanresources.rogue.com. If you've already got myorg.com configured as your default domain, then this won't happen. It also won't happen if you're using DHCP authentication. > At least, point out that the authentication option is needed to prevent > this kind of attack. OK. > Might also be useful to mention 1535, since it discusses a similar > issue. Yes, and I believe it's also discussed in RFC 1536 as well. _______________________________________________ dhcwg mailing list dhcwg@ietf.org https://www1.ietf.org/mailman/listinfo/dhcwg
- [dhcwg] draft-aboba-dhc-domsearch-08.txt Thomas Narten
- [dhcwg] Re: draft-aboba-dhc-domsearch-08.txt Bernard Aboba