[dns-operations] Signing on the fly and UltraDNS
Viktor Dukhovni
ietf-dane at dukhovni.org
Tue Jan 5 08:20:16 UTC 2021
> On Jan 5, 2021, at 6:00 AM, Paul Vixie <paul at redbarn.org> wrote:
>
> (moral of story: zone transfer is not the risk surface anybody thought it was.)
You missed some. :-) The implementation fails to protect the real zone
entries from all possible queries and the right query pattern admits easy
enumeration of the zone content, the first 40 names are:
house.gov.
1bstar.house.gov.
45press.house.gov.
b138.98.house.gov.
\\\@.house.gov.
_dmarc.house.gov.
april2018-msg-devhg._domainkey.house.gov.
august2019-msgb-hg._domainkey.house.gov.
july2018-msg-hg._domainkey.house.gov.
selector1._domainkey.house.gov.
selector2._domainkey.house.gov.
_outbound_.house.gov.
_activation._tcp.house.gov.
adamkinzinger.house.gov.
www.adamkinzinger.house.gov.
adams.house.gov.
adamsforms.house.gov.
adamsmith.house.gov.
aderholt.house.gov.
adriansmith.house.gov.
agaudio1.house.gov.
agaudio2.house.gov.
agriculture.house.gov.
aguilar.house.gov.
aic-olson.house.gov.
airmobile.house.gov.
airmobiledev.house.gov.
airmobiletest.house.gov.
alceehastings.house.gov.
www.alceehastings.house.gov.
alceehastingsforms.house.gov.
algreen.house.gov.
allen.house.gov.
www.allen.house.gov.
allenforms.house.gov.
allred.house.gov.
alt-aurora.house.gov.
amata.house.gov.
amendments-rules.house.gov.
amodei.house.gov.
andyharris.house.gov.
...
Since the names of Congress members are hardly a secret, this is of little
consequence.
--
Viktor.
More information about the dns-operations
mailing list