DNS rebinding: prevention?

[Stephane Bortzmeyer]

On Wed, Aug 08, 2007 at 06:42:34AM -0400,
 Mordechai T. Abzug <morty+bind at frakir.org> wrote 
 a message of 74 lines which said:

> I submit that we have an inherently flawed model if I, as a
> sysadmin, cannot control my own DNS servers to prevent them from
> passing external entities' RRs that point at my own names and IPs.

This is the model used by the DNS from the beginning. The DNS does not
care about *identity*, it is just a *mapping* between domain names and
values (often IP addresses), without any regard for the semantics of
these values.

Changing this model just because you missed this important point seems
an over-reaction.

> but it takes one other protocol designer that doesn't understand DNS
> to do something stupid, and it becomes a problem.

Indeed but, if we change the DNS to something so radically different
from what it is now, people will make other stupid things with it.
 
> This is actually the second known time that DNS rebinding has been a
> problem.

And there have been millions of times where it has been useful that
you can direct your domain names to any value you choose.

> [Note: we can really only fix this for externals pointing to internal
> names/IPs, not for externals pointing to third-party names/IPs.  

No, you cannot even fix it. On your resolvers, you can (providing you
block outgoing access to port 53, to prevent your users to have their
own resolvers). On the whole Internet, think that we still do not have
proper Internet Routing Registries and you want the DNS to know that
www.frakir.org is not allowed to point to 192.134.4.69?