It was predicted by Arthur C. Clarke...
WORLDS NAME SERVERS ARE YOURS—EXCEPT .EUROPA
A blunder during a handover of the .io registry allowed a security researcher to potentially take control of more than 270,000 .io domains. Late Friday, Matthew Bryant noticed an unusual response to some test code he was using to map top-level domains: several of the .io authoritative name servers were available to register. …
Also, it's doubly worth pointing out that DNS lookups are often cached, so the chances that a lookup will go all the way to the authoritative servers, and hit one of the hijacked ones, is low.
On the other hand, for exactly the same reason, any lookup which did hit a hijacked server might remain cached by non-authoritative name servers and be served up to all of their clients until either the operator of the caching servers finds out and clears the suspicious records or the TTL (which a malicious actor might set quite high*) expires...
* The TTL field in the DNS specification was originally a 32-bit signed integer, allowing values over 2 billion seconds (~68 years). Later clarification required that negative values be treated as 0, but still permits a 68-year positive TTL.
So he didn't register the name-servers as such, just the domains that point to them.
Slightly strange though, it's unusual for a name-server record to be on the root of a domain, normally you'd have an A record, such as ns1.domain.tld pointing to each name-server, but in this case the .io namespace was including domain.tld as a DNS server. Seems a waste of a domain.
The other ones, on the nic.io domain are more conventionally set up.
This sounds like an almighty cockup. Since his nameservers were on the same domain, the .io TLD would need active glue records for his server names under .io, which it seems were actually present.So maybe someone at .io removed or renamed their servers but forgot to remove the glue records?
While they could have fixed this by removing those records and allowing him to keep the domains which would then be pointless, it sounds like they revoked his actual domain name purchases. Which doesn't in itself sound enough to properly fix the problem?
"So which is it el 'reg?"
Oh, come on. You know the rules round here. A headline needs only have a passing resemblance to the article's content.
In this case the resemblance is that nearly half of DNS queries for any of all the .io domains could have become dependent on one of the server domains he'd taken over. ISTM that that's a better than average justification for an el Reg headline and a rather alarming one at that.
You seem to misunderstand the concept of redundancy with regards to DNS. Adding additional failure points is not "redundancy".
If you have all the servers for example.com under example.net then this should be a well considered decision because a failure of EITHER example.com or example.net will cause problems. However if you are talking about dedicated DNS servers then putting them all under example.com is the most optimal configuration in terms of both performance and reliability. Queries will go directly instead of resolvers having to do an entire extra DNS traversal, and the only thing you rely on is the parent servers for .com - if they go down then example.com isn't resolving, is it?
A TLD should not be dependent on anything except the root zone, using another TLD will either involve delays in resolving your TLD or will require that you get authority to add glue records to the root under someone elses zone. If you do the latter it would be functionally equivalent to using your own TLD, with added paperwork and failure points.
In short, "Using the same TLD" is only a silly idea if that TLD is a different one to the one the domain is under. Putting your name servers under your own domain, on the other hand, is the correct and best way to do it.
Of course the question then becomes what the root referrals looked like - correct IPs, or his IPs?
Oh well then it's all right, isn't it ? Everything peachy. It's not like procedures should exist so that the possibility of issues should not happen. Not at all. Procedures are only invoked when issues do arise - so that way we have someone to blame. The rest of the time, no need for procedures.
dlint people. dlint, for the love of all that's holy. Run it whenever you make a significant change to DNS and run it periodically to make sure nothing went pear-shaped on you. If four of your seven name server entries fail to resolve, figure out how to fix that. Now go back to your corner and read the cricket book.
Personally run dnssec at home but have a feeling DNS is going to be one of the first causalities of the great cyber war. I don't think policy makers understand how much its become critical infrastructure and what a charlie foxtrot security has been with it for a very long time (definitely baked in after the fact both in specs, software and human run aspect of it). It and BGP both scare me as that is how you make the internet disappear for an entire country or region or even worse subvert it. The prepper in me says I should start looking at Namecoin at home in case I need to switch rapidly.
Forgot to mention yes in this case its only .io but there is sloppy shit like this all over the DNS world (the x509 circle jerk as well). Band aid upon band aid. DNSSEC at least help prevent subversion somewhat but not being able to resolve a good portion of the internet isn't ideal either.
"Somewhat unusually, .IO TLD decided it wanted to continue to run the .IO name servers, but outsourced the rest of the registry operations to Afilias."
*** WE NOW KNOW THIS IS NOT TRUE ***
Afilias bought outright the operator "Internet Computer Bureau Limited" (aka "ICB"), which is also has the alias "IO Top Level Domain Registry", which is the "ccTLD Manager" - i.e. they bought dot-IO and all its control - lock, stock & barrel.
But they didn't pass it by ICANN - naughty, naughty - A change of ccTLD Manager needs ICANN approval.
So those poor Chagossians got ripped off to the tune of $70M - as dot-TV will tell you, a good ccTLD can go a long way to fund a traditional island heritage.
So who did get the $70M ... well checkout who resigned their directorship at about the same time the company changed hands
And what did the UK Gov know about all this ... they're keeping quiet, but then they just lost at the UN
What a mess - time to call time on colonialism, eh?
Biting the hand that feeds IT © 1998–2022