Community

NZRS could not operate without being part of a wider technical community within NZ and internationally.

Important organisations

This is a list of some of the important players in this community:

Internet Systems Consortium (ISC) ISC make the most popular open source DNS software, BIND, which we use extensively.  They have also been pioneers in a number of important areas for DNS including security and research.
The DNS Operations, Analysis, Operations and Research Center (DNS-OARC) DNS-OARC started within ISC and is now a seperate organisation.  It is the primary DNS research organisation, supported by registries, registrars, DNS operators, academics and business.
Internet Assigned Numbers Authority (IANA) IANA is now a function performed by ICANN under contract to the US Department of Commerce that manages the root zone.  In addition IANA is the registry for many key protocol descriptors in use on the Internet.
Registration Infrastructure Security Group (RISG) RISG is a small group of registries, registrars and security companies working on practical data sharing to help with fighting crime on the Internet.
NZ Network Operators Group (NZNOG) NZNOG is a mailing list and annual conference.  The individuals who participate are always willing to provide advice and assistance to us and colleagues when needed.

Acknowledging vulnerability disclosures

We wish to thank the following people for helping us to identify and fix security vulnerabilities:

Date Who Why

2013-09-05

Sahil Dhar

Login screen is vulnerable to iframe injection on a phished domain and frame protection headers should be used to prevent this.

2013-12-19

Daksh Patel

Login module does not implement effective brute-force protection, such as request rate-limiting.

2013-12-19

Nitin Goplani

The NZRS wiki does not implement frame protection headers.

2014-01-22

Rajesh TV

The NZRS mailserver should include smtpd_sender_restrictions to prevent unauthenticated external users from being able to send mail to NZRS accounts as another NZRS account.

2014-06-13 Javier Nieto Arevalo

A vulnerability in a CMS module used by the NZRS public website exposed sensitive information.

2016-03-22 Savan Gadhiya

A public webserver rewrite rule exposed an internal IP address when hit via HTTP 1.0 without a Host header.

2016-05-06 Daniel Bakker

The externally hosted NZRS blog exposed a .git archive of the blog theme.

2016-06-17 Emanuel Bronshtein

The broadbandmap.nz website was susceptible to a Reflected File Download attack via Javascript.