Is this a DNS security hole?

[Jonathan de Boyne Pollard]

KD> The mycompany.com zone cannot contain a testing.victim.com 
KD> A record. 

True, but completely irrelevant.  Register.com, being a "com." registrar, is
dealing with the "com." "zone", not either of the "mycompany.com." or
"victim.com." "zones".

KD> If you *shouldn't* have authority in victim.com and you were 
KD> able to create an A record in it using register.com's GUI 
KD> tool, then it does indeed have a serious security flaw, IMO, 
KD> and you should probably report it.

The security flaw here is really in the registry-registrar protocol, not in
Register.COM's tools.  The protocol allows "DOMAIN" records to be registered
without requiring that the referenced "HOST" records be subdomains of the
domain itself.  The inevitable consequence of allowing "DOMAIN" registrations
where this is not the case is to allow registrants to register arbitrary
"HOST" records.  (The only RRP restriction is that they must be subdomains of
domains registered via the same registrar, which is really no restriction at
all in the case of popular registrars.)  Registrars that impose additional
further restrictions, such as that registrants can only register "HOST"
records referencing one of the domains that they have registered via that
registrar, lose market share from customers who don't want to be locked into
single registrars in this way.  The only reasonable way to address this issue
properly is at the registry.  But it's impossible to impose such restrictions
at the registry (since the registry cannot correlate registrant information,
because it doesn't have it), so the only reasonable way to address this issue
properly is to enforce best practice (in-bailiwick names) on the registration
of "DOMAIN" records.