[jdev] Second-guessing dns for s2s
thoutbeckers at splendo.com
Thu Sep 22 20:01:22 CDT 2005
On Thu, 22 Sep 2005 22:53:20 +0200, JD Conley <jd.conley at coversant.net>
>> This is bad engineering i.t.o. creating undesirable impact on the
> What is the undesirable impact? Sure, there are a few more DNS lookups
> and potentially more connections and some stream errors. That doesn't
> seem like much of an impact. I don't see the harm in connecting to hosts
> that do not provide service to the domain you need. This is flushed out
> rather quickly in the S2S process.
It is, at least, a minor security risk. Only "minor" because running the
server on a domain you do not own isn't very safe to begin with, but none
the less this creates situations that are undesirable, and break the
principles behind the security provided by the dailback mechanism. Let's
say there is a "dynamic DNS" provider, that let's you link a subdomain to
an IP adress. Now let's say I register the username "John Doe" and get the
DNS name john.doe.dyndns.example.org. A malicious person could register
the username "Doe" and as soon as my Jabber server goes down, will with
some luck be able to impersonate all the users on my server.
That is, if Jive is used, of course.
More information about the JDev