|
Afilias has informed registrars and registry clients that it is taking steps to remove orphan glue records from 200+ TLD zones in its care. This will eliminate the potential for a handful of domain names to be misused.
“Glue records” enable websites and other uses of domain names to work on the internet. They are related to DNS domain name delegations and are necessary to guide iterative resolvers to delegated nameservers. A glue record becomes an orphan when its parent nameserver record is removed from the DNS but the corresponding glue record remains. (See ICANN’s Security and Stability Advisory Committee’s (SSAC) SAC048 for a detailed explanation.) While some orphan glue is always expected to exist, e.g., when the parent domain is suppressed from publication in the DNS in the course of normal registry operations, we would expect the number of such records to be relatively small.
Following information passed on by responsible sources, graduate students Gautam Akiwate at UC San Diego and Raffaele Sommese at University of Twente, Afilias identified a handful of domain names among the 20 million names we support that relied upon orphan glue records that have no corresponding parent domain in the registry. These records persisted after the parent nameserver records were deleted, as part of the normal deletion of a domain name. Theoretically, the deleted names could be re-registered for nefarious purposes and redirect queries to an unintended destination. The possibility of such a case led us to take immediate action.
Afilias’ plan is to remove all such problematic orphan glue records and adjust security settings to prohibit the persistence of such records when names are deleted in the future.
Afilias has notified registrars so they can inform the few domain owners who currently rely on orphan glue records to make appropriate adjustments immediately. Registry operators need take no action.
Sponsored byIPv4.Global
Sponsored byWhoisXML API
Sponsored byVerisign
Sponsored byRadix
Sponsored byDNIB.com
Sponsored byVerisign
Sponsored byCSC
Over the years I’ve left my share of orphaned glue. Registrar tools are not really adequate for me (and I presume others) to remember and clean-up the servers I once used but forgot.
I’ve noticed a lot of attack traffic coming in via my live NS records. I’ve never tracked what’s hitting my past ones.
The registrars I've dealt with don't even provide tools for domain owners to manage the glue records directly. You fill in the NS records and the back-end software fills in the necessary A/AAAA records automatically. I was under the impression even high-end enterprise services did the same in the name of ease-of-use, depending on having at least one out-of-zone nameserver to bootstrap the lookups for in-zone nameservers.
In general, as a registrant, you shouldn't need to worry about the glue records. As you point out, it's straightforward enough for a registrar to manage this for you with the registry. Having out-of-zone nameservers is something you have to do for yourself though, and the best way to do this is with two domains you own that "depend" on each other, including the contact information. Otherwise, you don't know the status of the glue of the nameservers you don't control and that can be a serious risk.
I think the normal case is out-of-zone nameservers, since even most enterprises have their primary DNS through a service like CloudFlare rather than hosting their own nameservers (at least for external use, internally it's likely to be an AD domain not directly accessible outside the corporate network and the state of the global DNS won't matter). In those cases orphan glue won't be a problem since the DNS provider's unlikely to let their own domain expire undetected. It seems like the primary vulnerable parties would be companies that for whatever reason don't use their DNS provider's nameservers by name but create A/AAAA records for them in one of their own domains and point those records at IP addresses provided by the DNS provider. My immediate thought is that the only completely safe response is for the TLD operator to remove any glue records for hosts in a domain that's being removed and to notify the other registry operators so they can do the same. Delaying the removal for a short time so the affected domains can be warned would be nice, but anything other than removal is going to leave the affected domains subject to being hijacked as you noted. I think this is one of those cases (all too frackking common these days) where the faster you get the pain out of the way for the subject the better off everyone will be.
Just for reader clarity, it's not the use of the NS record that determines whether or not it's an orphan, it's the absence of the parent domain that makes it an orphan. If you're using your own domains for your nameserver names then they are not orphans, unless those domains are no longer registered. The security threat is to re-register the missing parent domain, in which case traffic could be redirected and you wouldn't see it.