Michael,
I think the world is missing something (*). ".to" is the TLD registered to Tonga. They are doing a nice line in registering domain names thankyou. Internic/NSI's whois server is not authorative for them.
Let's delve into the technical a bit, shall we? Host records are in place so that authorization info can be associated with the hosts that are registered as nameservers for a domain. One would expect that a host
Well arguably to prime glue records is the main point, which I think you agree with below.
registered with the Internic would at some point in time be listed as a nameserver on an Internic domain name registration.
When a host is listed as a nameserver on an Internic domain name registration, e.g. example.com, it is listed in the Internic zone, i.e. .com, as a glue record. If your nameserver happens to resolve example.com it will also learn the addresses from the glue records, thus if at some later point in time one of your customers attempts to access perhaps.youwant.to your nameserver will deliver the address learned from the glue record and will not query the youwant.to domain nameserver.
Yes I am familiar with this, but...
I don't know whether these people actually did hijack the address of perhaps.youwant.to or whether they were just preparing to do so. And I don't know whether more recent versions of BIND can ignore glue records which would mean that they only partially hijacked the host name.
Of course the Internic web pages claim that a host record can only be changed by the technical contact of the domain in question. Since they have no record in their database of a technical contact for youwant.to the question is, why did they allow this info to be registered in the first place?
... all I was saying is there is an innocent explanation for this I think. Which is the domain owners got the original registration of the glue/host record in there (which is unnecessary as it's a glue for a domain not held at Internic - it should be a glue in .to or whatever), and this could get in there because the Internic's glue record checking is/has been broken for a long long while. They then changed their nameserver address. I believe this to be likely because I have empirical evidence. We did this foolishly a long while ago with the same result. I registered 2 domains, mydomain.co.uk and, later, mydomain.com; As I had ns.mydomain.co.uk already set up, foolishly I set it as the nameserver for mydomain.com. This is/was a bad bad thing to do as the code at the Internic barfed on this and said the namserver didn't exist (as it wasn't in an Internic domain). The fix was for them to insert what is now known as a host record. Which they did. Then we tried to change the IP address of ns.mydomain.co.uk. But, lo and behold, the old host record of course stayed there. In this instance we couldn't modify it even when we tried. Sigh... Substitute mydomain.co.uk for perhaps.youwant.to and the above seems remarkably similar. The only people doing DoS for mydomain.co.uk at the time with the Internic. It only took a few weeks to sort it out. You are correct that however that there are various sanity checks missing from the host record stuff that *might* be able to be used as DoS. Probably publishing them on NANOG is a bad plan. -- Alex Bligh GX Networks (formerly Xara Networks)