domainmonger.com with wildcard NS?
This was brought to my attention by a friend. It looks like ns1.domainmonger.com and ns2.domainmonger.com are doing wildcard A records for all zones, including those that already exist. If you go to their site and try to register a domain, it properly shows if the domain exists or not. I'm trying to figure out what the reasoning is behind this. My friend alo pointed out this CERT alert, but I'm not sure how it relates: http://www.kb.cert.org/vuls/id/109475 Rick ------- ; <<>> DiG 9.2.3rc4 <<>> @ns1.domainmonger.com www.esdfsadfsdftreet.com a ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50340 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.esdfsadfsdftreet.com. IN A ;; ANSWER SECTION: www.esdfsadfsdftreet.com. 1200 IN A 216.52.102.86 ;; AUTHORITY SECTION: com. 1200 IN NS ns1.domainmonger.com. com. 1200 IN NS ns2.domainmonger.com. ;; Query time: 37 msec ;; SERVER: 216.98.150.33#53(ns1.domainmonger.com) ;; WHEN: Tue Oct 14 09:59:24 2003 ;; MSG SIZE rcvd: 107 ----- ; <<>> DiG 9.2.3rc4 <<>> @ns2.domainmonger.com www.legendz.com a ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40110 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.legendz.com. IN A ;; ANSWER SECTION: www.legendz.com. 1200 IN A 216.52.102.86 ;; AUTHORITY SECTION: com. 1200 IN NS ns1.domainmonger.com. com. 1200 IN NS ns2.domainmonger.com. ;; Query time: 91 msec ;; SERVER: 216.122.4.81#53(ns2.domainmonger.com) ;; WHEN: Tue Oct 14 10:01:28 2003 ;; MSG SIZE rcvd: 98
Some of the more pedantic registries require that nameservers for a new domain reg be up and available. In theory they are also supposed to answer auth for the new domain being registered, but I am not sure how many actually check for an SOA. Afternic used to wildcard NS records for that reason, so the practice isn't anything new. In theory this doesnt break anything, since the nameservers in question aren't providing recursive service to anyone. Any questions they see are the result of a followed delegation. So I don't see why this would cause problems anywhere. matto On Tue, 14 Oct 2003, Rick Ernst wrote: This was brought to my attention by a friend. It looks like ns1.domainmonger.com and ns2.domainmonger.com are doing wildcard A records for all zones, including those that already exist. If you go to their site and try to register a domain, it properly shows if the domain exists or not. I'm trying to figure out what the reasoning is behind this. My friend alo pointed out this CERT alert, but I'm not sure how it relates: http://www.kb.cert.org/vuls/id/109475 Rick --mghali@snark.net------------------------------------------<darwin>< Flowers on the razor wire/I know you're here/We are few/And far between/I was thinking about her skin/Love is a many splintered thing/Don't be afraid now/Just walk on in. #include <disclaim.h>
just me <matt@snark.net> writes:
In theory this doesnt break anything, since the nameservers in question aren't providing recursive service to anyone. Any questions they see are the result of a followed delegation. So I don't see why this would cause problems anywhere.
I'd sure hate to be the poor fellow having a zone being served from those nameservers when the inevitable configuration error causes the zone to get dropped on the floor (for instance an accidental removal from named.conf). NXDOMAIN or SERVFAIL sure beats a wildcard match going to the wrong place. ---Rob
On 14 Oct 2003, Robert E. Seastrom wrote: just me <matt@snark.net> writes:
In theory this doesnt break anything, since the nameservers in question aren't providing recursive service to anyone. Any questions they see are the result of a followed delegation. So I don't see why this would cause problems anywhere.
I'd sure hate to be the poor fellow having a zone being served from those nameservers when the inevitable configuration error causes the zone to get dropped on the floor (for instance an accidental removal from named.conf). NXDOMAIN or SERVFAIL sure beats a wildcard match going to the wrong place. ---Rob I think (don't hold me to this, I might be wrong) the trick, when you're a registrar, is to not lose domains? matto --mghali@snark.net------------------------------------------<darwin>< Flowers on the razor wire/I know you're here/We are few/And far between/I was thinking about her skin/Love is a many splintered thing/Don't be afraid now/Just walk on in. #include <disclaim.h>
just me <matt@snark.net> writes:
On 14 Oct 2003, Robert E. Seastrom wrote:
just me <matt@snark.net> writes:
In theory this doesnt break anything, since the nameservers in question aren't providing recursive service to anyone. Any questions they see are the result of a followed delegation. So I don't see why this would cause problems anywhere.
I'd sure hate to be the poor fellow having a zone being served from those nameservers when the inevitable configuration error causes the zone to get dropped on the floor (for instance an accidental removal from named.conf). NXDOMAIN or SERVFAIL sure beats a wildcard match going to the wrong place.
I think (don't hold me to this, I might be wrong) the trick, when you're a registrar, is to not lose domains?
History demonstrates that registrars are human too. ---Rob
participants (3)
-
just me
-
Rick Ernst
-
Robert E. Seastrom