[nsp-sec] GoDaddy DNS server "hijacking" .com ?

[Florian Weimer]

* Johannes B. Ullrich:

> one of our readers had issues resolving www.checkpoint.com, and we
> narrowed it down to ns51.domaincontrol.com and
> ns52.domaincontrol.com pretending to be '.com'. I am not sure if
> this is just by accident (the redirect sites just deliver the
> default GoDaddy parked page).

This is SOP for domain grabbers.  We've seen 1,528,623 zones served
from that NS in the big gTLDs alone.  Very likely, they haven't all
been active at the same time.  But even if it's just a fraction, you
still need the equivalent of tens of thounds of "zone" statements in
your name server configuration.  So it's much more easy to make the
server authoritative for the root (or use some zone-less
wildcard-everything packet reflector).

Most TLDs explicitly do not check whether the NS of a delegated domain
is authoritative for the TLD.

On the other hand, my pity with people who run name servers which are
confused by this is rather limited (although this includes setups
involving forwarders forwarding to servers which do not sanitize or
strip authority sections replies, like BIND 8).

-- 
Florian Weimer                <fweimer at bfk.de>
BFK edv-consulting GmbH       http://www.bfk.de/
Kriegsstraße 100              tel: +49-721-96201-1
D-76133 Karlsruhe             fax: +49-721-96201-99