North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Internic hosage (fwd)

  • From: Alex Bligh
  • Date: Fri Mar 20 21:50:29 1998

Michael,

> > I think the world is missing something (*). ".to" is the TLD registered to
> > Tonga. They are doing a nice line in registering domain names thankyou.
> > Internic/NSI's whois server is not authorative for them. 
> 
> Let's delve into the technical a bit, shall we? Host records are in place
> so that authorization info can be associated with the hosts that are
> registered as nameservers for a domain. One would expect that a host

Well arguably to prime glue records is the main point, which I think
you agree with below.

> registered with the Internic would at some point in time be listed as a
> nameserver on an Internic domain name registration.
> 
> When a host is listed as a nameserver on an Internic domain name
> registration, e.g. example.com, it is listed in the Internic zone, i.e. 
> .com, as a glue record. If your nameserver happens to resolve example.com
> it will also learn the addresses from the glue records, thus if at some
> later point in time one of your customers attempts to access
> perhaps.youwant.to your nameserver will deliver the address learned from
> the glue record and will not query the youwant.to domain nameserver.

Yes I am familiar with this, but...
 
> I don't know whether these people actually did hijack the address of
> perhaps.youwant.to or whether they were just preparing to do so. And I
> don't know whether more recent versions of BIND can ignore glue records
> which would mean that they only partially hijacked the host name.
> 
> Of course the Internic web pages claim that a host record can only be
> changed by the technical contact of the domain in question. Since they
> have no record in their database of a technical contact for youwant.to the
> question is, why did they allow this info to be registered in the first
> place?

... all I was saying is there is an innocent explanation for this I think.
Which is the domain owners got the original registration of the glue/host
record in there (which is unnecessary as it's a glue for a domain not
held at Internic - it should be a glue in .to or whatever), and this
could get in there because the Internic's glue record checking is/has been
broken for a long long while. They then changed their nameserver address.

I believe this to be likely because I have empirical evidence. We did this
foolishly a long while ago with the same result. I registered 2 domains,
mydomain.co.uk and, later, mydomain.com; As I had ns.mydomain.co.uk
already set up, foolishly I set it as the nameserver for mydomain.com. This
is/was a bad bad thing to do as the code at the Internic barfed on this
and said the namserver didn't exist (as it wasn't in an Internic domain). The
fix was for them to insert what is now known as a host record. Which they
did. Then we tried to change the IP address of ns.mydomain.co.uk. But, lo
and behold, the old host record of course stayed there. In this instance
we couldn't modify it even when we tried. Sigh...

Substitute mydomain.co.uk for perhaps.youwant.to and the above seems
remarkably similar. The only people doing DoS for mydomain.co.uk at the
time with the Internic. It only took a few weeks to sort it out.

You are correct that however that there are various sanity checks missing
from the host record stuff that *might* be able to be used as DoS. Probably
publishing them on NANOG is a bad plan.

-- 
Alex Bligh
GX Networks (formerly Xara Networks)