Consider the following hypothetical situation: A webhosting company has a single nameserver (bound to two IPs, of course) on which it places zones for all sites hosted on the server. Customer 1 has a site "www.domain.tld" hosted on the server, and has "domain.tld" delegated to the nameserver. Cracker 2 asks to create a site "sub.domain.tld" on the same server.

If the server doesn't check for shared domain suffixes, it would go ahead and create the zone files for
"sub.domain.tld", and by virtue of Customer 1's delegation of "domain.tld" to the same nameserver, the DNS would resolve.

The solution, presumably -- at least, I can't think of any other -- is to check, before creating new zone files, that the longest domain suffix shared with another zone is either owned by the same customer OR is a "public domain suffix" (eg, .com, .net, .org, .co.uk, .dhs.com, etc.).

Is there any other solution? And if not, is there any simple mechanism for determining if a shared domain suffix is "public"?

Maybe I'm missing the point... :) What is the "problem" that you're trying to fix?

What operating system are you running. I am assuming that you running Linux, and an Apache server, right? If so, a quick 5 minute Perl script could solve the problem. Running in an endless loop, it would use very little resources and catch the problem within seconds of beginning the new project......

Rehan, the problem is that without proper attention to this issue people would be able to create websites on subdomains of each other's domains.

IPCPRO, :rolleyes: yes I know the answer it to use a perl script. The question was what should go into it.

Oh, okay. I can see how that could be a problem. I can't think of a better way than you're already planning to do it...

Let me know what your O/S is, and post what you've got so far in the way of a Perl script. I'll be happy to help you polish it up...

I will be more interested in how this could be done in perl! I am no perl man ;-) I am a Java man(Jman)

This is probably an ignorant question, but shouldn't the subdomain be created as an A record in the zone file of the domain, and not as an entirely new zone? If that was how you handled it, only Customer 1 would be able to create subdomains on his domain, unless Cracker 2 somehow compromised Customer 1's interface to your nameserver administration tool. Feel free to educate me on any oversights I've made. :)

Andy