On Wed, 27 Mar 2002, N. Lyne wrote: > Why would you consider it a bug, this is a nice way to keep hijacking > of domains away from the owner even if the owners userid/password was > compromised. The person gaining access to the users account could not > transfer the domain away, nor transfer DNS deligation to another group > of DNS servers without getting another person (you or I) to unlock the > clients domain. There by providing a two step process to moving vital > parts of a domain. How often do people actually change their DNS > servers anyway? Its not normally something people would do on a daily > or weekly basis... > > So far my clients are actually enjoying the idea of tighter security > over their domains, and a two step process like this seems to give a > bit more assurance that their domain will not get pulled out from > under them. > > Anyway, off to find a cup of coffee, but I would NOT consider this a > bug.
That's a good point. I hadn't conceived of that being a compromise because the majority of our customers don't have the username and passowrd and don't even know that they might want to ask for it. Beyond that I haven't heard of people actually doing that. This is one of those "theoretical holes" that is certainly worth not letting become a real vulnerabilty. -- </chris> Sometimes I lie awake at night and I ask, "Where have I gone wrong?" Then a voice says to me, "This is going to take more than one night."
