Thanks for all the information and recommendations on the issues
surrounding the addition of DNS entries for university students. There are
pros and cons to the yea and nea of it all.
some of the pros:
- freedom of expression
- enhances the spirit of experimentation usually encouraged
- the idea that you needn't distrust the many based on the actions of the few
- provision of yourself and other system administrators with a little more
control
- permits these users inverse lookup authentication, thus giving them
access to some sites, which would otherwise be denied
some of the cons:
- perilous organization liabilities and legal jeopardies
- degraded bandwidth from the added traffic
- maintenance of DNS entries from year to year
- security
Again, many thanks to all the many, helpful responses. We thank you.
Carole Thompson
carole_at_callutheran.edu
Information Systems and Services
California Lutheran University
(805) 493-3944
THE RESPONSES:
First, you need to verify that he has registered his domain name with the
InternNic, and that he is aware it will cost him money from now on to own
that name.
If I were you, I would be sure he doesn't have objectionable material on
his site before you agree. By adding him to you nameservers, you are, in
essence, giving your consent for him to operate his site.
John Banghart
john_at_success.net
----------
This really sounds like something that needs to be decided at high
management level, but if you get complaints about what he is distributing
on his PC, you always have the option of disconnecting him from the
network. You do have to respect people's right to privacy, but if
he's distributing copyrighted software that he has no right to distribute,
cutting off his network access is appropriate.
At UCI, we assign the hostnames for systems in the dorms (although there
aren't that many yet).
Mike Iglesias <iglesias_at_draco.acs.uci.edu>
----------------
I am a Student Systems Management Assistant. Which kind of means I am a
little in control, but stay out of the picture.
So in other words, I don't make the policy, but I read it as best I can.
We have the same situation here. The only difference I can see is that we
are using Bootp. We allow students to put up what ever servers they would
like. However, we do not allow them to advertise their sites.
Otherwise we get into the whol "600 meg of nature pictures available
here". But we still want to be able to (If a student is smart enough)
setup an anon ftp server so they can get their files and what not.
Also, we notify them that we are not using static IP's.
--Brett M. Thorson
"UW-Platteville Gopher and WWW Admin." <GOPHERADMIN_at_uwplatt.edu>
-------------------
You already gave him an IP address, from some central authority I presume.
You already have lent some level of institutional concurrence to the
student's actions. A DNS entry is no different.
The way DNS and IP addressing work here is that CIT hands out subnets or
sub-subnets to local computer administration. This space is to do with
however I please. Hostnames are registered by filling in a form and
E-mailing it to the Hostmaster, or getting a fresh copy of the host name
table, changing it, and doing a diff -c on it. It is updated by a
(partially) automatic process. I'm not even really sure they check my
credentials when I (infrequently) do this. They don't care what I name the
computers (as long as it has .cornell.edu).
This will cause the flood gates to open. You may have to have some
employee play cybercop, and continuously scan the local net for
pornographic Web sites and pirated software. Get a student hacker.
boris_at_gore.afep.cornell.edu
------------
....as the Sysop at an Independent college in Milwaukee, WI, I
can tell you that our policy would be to just say no. The student is
making a request that is far more appropriate to make from a commerical
provider.
..first, you have no control over his content
....second, depending on how popular it becomes, he's using your
bandwidth to the possible degradation of others....
While I admire the enthusiasm of such students, they fail to
recognize the implications of their projects. You may or may not be
under the staffing contraints I live with. We have an enrollment of over
4200 and I am the only Academic Computing support person for the entire
campus - and I administer all the networks....
Jim Esten sysop_at_acs.stritch.edu
---> Cardinal Stritch College <--
-----------------------
TCU has recently installed ethernet connections to all the dorm rooms on
campus. We have choosen to assing an IP to each ethernet jack in each
room along with the registered name being their dorm/room/jack. Example:
Ziegler Dorm, Room 123, Jack 2 will have a registered name of:
ZEI1232.DORM.TCU.EDU. Therefore the dsn name never changes and is "fixed"
whether a student has a connection or not.
For a student to connect, they must call us with their ethernet
address and we will assign them the IP address for their dorm room.
Jon Eidson (J.Eidson_at_tcu.edu)
Texas Christian University
----------------------
Registring a DNS name is only part of the problem here.
As long as your university has direct access to the Internet from these
campus network PC's (that is, there is no firewall restricting access) then
anyone can get to his PC by simply knowing the IP address.
Also, he/she is now using your campus resources for who-knows-what kind of
access - and you have no idea of the traffic that ftp site will generate.
You might want to try to find out what this student is doing - to quantify
the load that might be put on the network.
Simply denying a DNS name may not stop him. You might have to clamp down on
anonymous ftp servers on those PC's. And, you should seriously consider
a firewall or some kind of screening router for your Internet connection.
rockwell_at_rch.dec.com
-----------------
We've just started offering 10Base-T connections in our dorms.
We've pre-assigned IP addresses, and pre-registered domain
names for each jack we expect to make "live", with the name
based on the dorm name, room, and jack number. We don't
give them any choice in either domain name or ip address,
though we don't have any way to enforce that.
We're providing "a port for every pillow", and so far nobody has
asked for more than that. If somebody wants to bring in their
own hub and a fileserver, etc. beyond the two roommates' pc's,
we'll deal with that then. If that does happen, I'm arguing that we
should do what we can to accommodate them, but others in my
department disagree.
--Phil Rand <prand_at_spu.edu>
------------------
At a meeting of the S.E. CAUSE there was a discussion about something
similar.
Is the university libel for what a student does with university property
(the network from the university) when it comes to cyberspace.
The answer was, yes but if and only if the university has knowledge and
failed to do something about it. Three universities (in NC) have had legal
problems stemming from this, two of these still pending judgement.
Some schools make the students sign a "letter of intent" stating the
policy that must be followed, else dismissal and possible criminal charges.
This has possible 1st amendment implications.
Phil Krause <phil_at_wolf.ncat.edu>
----------------
We allowed people to use static IP and added them DNS entries when we
first started, but converted to dynamic IP and therefore personal
machines now (except for those few Unix boxes that we have connecting to
us) do not get personal names.
I don't personally have a problem with giving machines names, but in your
type of setting with the high turnover of machines connecting to your
network it would be an administrative nightmare to have to constantly
change the DNS entries every time a student moves in, moves out, changes
rooms, leaves the school, et al et al et al. I feel it would be a very
bad precedent to start, especially since if it does occur at your
particular institution everyone else around the internet with ethernet to
the dorms would be getting deluged with "well, they do it at x place, why
not here......".
Peter Clark <pclark_at_linda.pclark.com>
---------------------
We have just implemented a student network where students have
ethernet connections from their dorm rooms. We followed the
convention of giving the student a DNS entry where their
host-name is the same as their username on our multiuser
academic computer. This way, since the usernames are unique
and all students get accounts when they are enrolled, it is
a simple step to giving them a DNS entry. Plus, if they change
dorms during their enrollment the DNS entry is location
independent (unlike a DNS entry that would be DORM-RM#).
Russ Embich
Systems Manager
Lebanon Valley College
-------------------
Since we're managing/distributing IP in our institution via BOOTP,
our plan is to do DNS registrations with generic names (bootpxxx.*)
and we're not necessarily "approving" anything.
Our primary reason for doing so is to avoid the requests from users
who are attempting to FTP *from* sites that require authentication
in the local DNS. Doing the whole job at once is much better than
returning multiple times to the same user/problem and correcting a
few bits at each pass.
andrew. (brennan_at_hal.hahnemann.edu)
------------------
are you saying that you have people in the dorms with IP addresses that
don't have names attached to them? That's somewhat of a bad idea because
a lot of places expect names to be registered before they'll allow things
like ftp, etc.
One alternative is to give some sort of generic name to the machines (the
campus here did dormname-roomname), but you'll probably have people
complaining about privacy invations by making it known where they live.
What the campus ended up doing for the dorm people is giving them a
dorm.umd.edu subdomain (they could pick the machinename), which kind of
implies that the university doesn't know what's going on. You may want
to just create a subdomain for stuff like that (if you're really
concerned, machine.unsupported.callutheran.edu or something) -- I don't
think it really lends any aura of approval, though. If you know the
student's are doing illegal things, though, I'd imagine you'd be obligated
to shut them down (but you've already probably tackled this issue with
the dorm net users).
Todd Kover <kovert_at_umiacs.UMD.EDU>
_______________________
But hereafter are some pointers to computer *good* use policies, mostly
from US universities and you can perhaps pick something relevant to you :
http://www.eff.org/pub/CAF/policies/
http://www.vt.edu/policies.html
http://www.crpht.lu/CNS/html/PubServ/Security/documents.html
Herve DEMARTHE <demarthe_at_alpha.cad.cea.fr>
_____________________
There are several reasons why you should register IP addresses in
your DNS. For purposes of example, I am going to invent some details
(without loss of generality). Suppose the student in question is named
Joe Smith and that you have assigned him an IP address of 123.45.67.89.
First of all, many places on the net require that an host have a
legitimate DNS/inverse-DNS lookup before they will deal what host. This
is to help prevent spoofing. If you do not register 123.45.67.89, Joe
will not be able to connect to some useful (and potentialy educational)
archives.
Second, suppose Mr. Smith does use his inetnet access for some shaddy
things (pirate FTP site, attemted breakins to machines, IRC harrasment,
whatever). If he is trying to break into my site (or pirating my
software or
whatever), I can trace his IP address back to Cal Lutheran via whois on
rs.internic.net. If his host has been registered as
jsmith.dorms.callutheran.edu, I will be much better informed than if I just
knew his IP address came from somewhere on your site. (Maybe
someone just hooked a machine into a free ethernet jack or maybe you
misconfigured DNS and this is your dean's personal macine, who knows).
Third, you have already given him IP access. If he wants to put
up a pirate BBS and/or start sending out forged ICMP packets, your not
registering his machine in your DNS tables won't stop him in the
slightest. If, on the other hand, he wants to maintain a web site for his
family reunion and provide an FTP archive of GIFs of Neptune, you'll make
it harder for him. If you don't want him to run a server site, then don't
allow him to do so (this may mean taking away access), but given that he
has your permission to put up a server, own up to giving him access and
give it an appropriate name.
Bear in mind, however, that your choices are not limited to (a) not
registering the hostname or (b) registering it in the domain
callutheran.edu. You COULD request a new top level domain and register
"non-endorsed" hosts there. My feeling is that is a bit of overkill and
that a subdomain of callutheran.edu would do fine.
Lastly, you could require that students register their own domain
(or get someone else to do DNS for them). You will still have to do
inverse-DNS resolution, so that is likely to be a pain for both you and
them, but it seems to say "Cal Lutheran is only giving this host IP access
and has nothing else to do with it."
Let me close by reitterating the most important point (from my
perspective). It is much easier for _ME_ (a sysadmin) to track down
problems and understand what the situation is with machines which _YOU_
have given access if _YOU_ provide some sort of DNS for them. If you do
nothing more than call them "dormpc1", "dormpc2", you are providing
valuable information in case one of these machines causes a problem with
my site (either accidental or malicious).
Sean Watson
swatson_at_ultrix5.cs.csubak.edu
P.S. Before this becomes a problem, you should also try to figure out
what will happen if one student sets his/her IP address to that of another
machine on campus. This defeats rlogin (and other IP address based)
authentication, it can cause denial of service (even if the wrong IP
address was entered accidentially). There is software out there to
"catch" packets sent on an ethernet (even if they aren't destined for your
machine) wich can easily reassemble TCP/IP streams and determine passwords
sent with FTP or TELNET to or from another machine on the same Ethernet.
You are really opening yourself up full Ethernet access to someone your
don't entirely trust. For that reason we will probably never give
students more access than PPP or SLIP
Received on Sat Sep 23 1995 - 00:46:19 NZST