[dns-operations] A report on a DNS issue that was causing page redirections

Warren Kumari warren at kumari.net
Wed Aug 13 15:25:39 UTC 2014

On Wed, Aug 13, 2014 at 3:38 AM, Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:
> On Tue, Aug 12, 2014 at 06:59:37PM +0200,
>  Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote
>  a message of 14 lines which said:
>> The author says "your domain name registrar can introduce an error to
>> the root domain database and match your domain to an incorrect DNS
>> servers (this actually happened earlier in history of some domain
>> registrars)" but my human memory cannot find an actual documented
>> case. Anyone can mention one or was it just speculation?
> One case mentioned by Tony which is not exactly that, but close:
> http://news.netcraft.com/archives/2005/01/18/lapse_at_melbourne_it_enabled_panixcom_hijacking.html
> One mentioned in ANSSI's guide on DNS:
> http://blogs.cisco.com/security/hijacking-of-dns-records-from-network-solutions/
> [If you take Network Solutions' words literally...]
>> DNSSEC would have mitigated the problem if the domain had been
>> properly managed, which was apparently not the case.

SAC044 - A Registrant's Guide to Protecting Domain Name Registration
Accounts  [https://www.icann.org/en/groups/ssac/documents/sac-044-en.pdf]
SAC040 - Measures to Protect Domain Registration Services Against
Exploitation or Misuse
[https://www.icann.org/en/groups/ssac/documents/sac-040-en.pdf (also
available in multiple languages, links here:
SAC028 - Registrar Impersonation Phishing Attacks
SAC007 - Domain Name Hijacking Report (SAC007) (12 July 2005)
SAC049 -  DNS Zone Risk Assessment and Management (03 June 2011)

Unfortunately many registrants are not adequately protecting their
domains, especially the registrar credentials. The suggestions in the
above documents[0] don't solve all domain hijacks (ask me how I know
:-)), but would cut down on a large number of them, and / or make
recovery faster / easier[1].

[0]: Full disclosure: Member of SSAC, contributor to a number of the
above documents.
[1]: This feels like a BCP38 type discussion. Not sure if posting
these will make any difference, but next time there is a hijack that
could have been prevented by the above, at least I can say "Nah, nah,
told you so!". This is not helpful to the registrant, but might make
me feel better :-P

> Someone asked me to be more precise: if the DNS hoster does both the
> provisioning (including the signing) and the publication on its DNS
> servers, then, DNSSEC would not help (GIGO). But if the user does the
> provisioning / signing, and relies on the DNS hoster just for
> publication (the user being just a stealth master), DNSSEC would
> protect against blunders by the DNS hoster.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.

More information about the dns-operations mailing list