Conflicting glue records?

David Forrest drf at maplepark.com
Thu Jan 8 16:58:09 UTC 2009 

Milo Hyson wrote:
In our particular case, we have stale glue records for our name-
servers that appear to be coming from a domain we host that is owned
by someone else. Despite our best efforts, we have not been able to
reach the owners and thus have not been able to get the host records
changed at the registrar. The net result is that any domains listing
those server names fail to resolve as the old IPs are no longer in
service.

This raises a scary question. If this is really an undefined
situation, could it be used as an attack vector? Although our
particular situation involves no component of fraud, what is to stop
someone from registering a domain and listing our server name with a
bogus IP?

Milo Hyson
Chief Scientist
CyberLife Labs
---------------
Nothing. But why would it matter? And why would they ask someone other 
than the TLDs for your NS?

I don't really think this is a problem as it only comes into play if they 
query the registered domain.  If one is hosting a domain owned by someone 
else they should be able to contact domain holder.  If they cannot contact 
them, they can just stop hosting them and queries will not then bother 
them.

I have several secondary nameservers out there and I have registered them 
with my register.  Checking for my nameservers at the TLD servers gives 
this response:

[root at maplepark ~]# dig +norecurse @A.GTLD-SERVERS.NET maplepark.com ns

; <<>> DiG 9.6.0 <<>> +norecurse @A.GTLD-SERVERS.NET maplepark.com ns
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62282
;; flags: qr; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 5

;; QUESTION SECTION:
;maplepark.com.			IN	NS

;; ANSWER SECTION:
maplepark.com.		172800	IN	NS	maplepark.com.
maplepark.com.		172800	IN	NS	ns5.dnsmadeeasy.com.
maplepark.com.		172800	IN	NS	ns6.dnsmadeeasy.com.
maplepark.com.		172800	IN	NS	ns6.gandi.net.
maplepark.com.		172800	IN	NS	ns7.dnsmadeeasy.com.

;; ADDITIONAL SECTION:
maplepark.com.		172800	IN	A	64.216.205.121
ns5.dnsmadeeasy.com.	172800	IN	A	63.219.151.12
ns6.dnsmadeeasy.com.	172800	IN	A	64.246.42.203
ns6.gandi.net.		172800	IN	A	217.70.177.40
ns7.dnsmadeeasy.com.	172800	IN	A	205.234.170.139

;; Query time: 91 msec
;; SERVER: 192.5.6.30#53(192.5.6.30)
;; WHEN: Thu Jan  8 09:05:47 2009
;; MSG SIZE  rcvd: 218

As can be seen (or digged|dug), the glue has me (maplepark.com), three 
other .com(s), and a .net, all as it should be (and as I wanted it and 
registered it)  Not allowing this setup would cripple lookups using my 
secondaries (all slaves).

OTOH, if you were to add my nameservers to YOUR TLD (through your 
registrar) anyone querying your nameservers for anything could be directed 
to my nameserver and then find answers only as long as my nameservers were 
active.  If I, as an active homebuilder, should fall prey to the 
ridiculous broken market I am dealing with and go out of business, those 
querying YOUR nameservers could get stupid answers.  But if they query the 
TLD for me they would also get stupid answers until my registration 
expires.  But I wouldn't care too much.  Protect yourself by maintaining 
YOUR TLD through your registrar and don't add me to your list of NS.

My short answer is "Don't host domains that aren't maintained" and rely on 
the DNS to normally resolve those who do maintain their domains.

imho, the system ain't broke; so don't fix it.
I'm dead sure someone will tell if I'm wrong, and maybe even if I'm not.

-- 
David Forrest                   e-mail   drf @ maplepark.com
Maple Park Development Corporation  http://www.maplepark.com
St. Louis, Missouri

More information about the bind-users mailing list