[jdev] Second-guessing dns for s2s

Tijl Houtbeckers thoutbeckers at splendo.com
Thu Sep 22 20:01:22 CDT 2005

On Thu, 22 Sep 2005 22:53:20 +0200, JD Conley <jd.conley at coversant.net>  

>> This is bad engineering i.t.o. creating undesirable impact on the
> broader
>> Internet.
> What is the undesirable impact? Sure, there are a few more DNS lookups
> and potentially more connections and some stream errors. That doesn't
> seem like much of an impact. I don't see the harm in connecting to hosts
> that do not provide service to the domain you need. This is flushed out
> rather quickly in the S2S process.

It is, at least, a minor security risk. Only "minor" because running the  
server on a domain you do not own isn't very safe to begin with, but none  
the less this creates situations that are undesirable, and break the  
principles behind the security provided by the dailback mechanism. Let's  
say there is a "dynamic DNS" provider, that let's you link a subdomain to  
an IP adress. Now let's say I register the username "John Doe" and get the  
DNS name john.doe.dyndns.example.org. A malicious person could register  
the username "Doe" and as soon as my Jabber server goes down, will with  
some luck be able to impersonate all the users on my server.

That is, if Jive is used, of course.

More information about the JDev mailing list