> However, the point has been completely missed here, Eric. The point Dal
> was making is that Perhaps.youwant.to FALSIFIED, LIED, FORGED, STOLE,
> MISAPPROPRIATED, and otherwise BS'd about their WhoIs entry:
I think the world is missing something (*). ".to" is the TLD registered to
Tonga. They are doing a nice line in registering domain names thankyou.
Internic/NSI's whois server is not authorative for them. You thus get the
same result querying whois.internic.lnet as if you (say) query something
in the UK domain. That is it returns the record if and only if a host
entry has been registered. It happens that this domain has a host record
different from the DNS record, along with about ten trillion other
incorrect host records in the Internic database. This is easilly achieved
by modifying your zonefile after the host entry has been registered. If I
remember correctly there is a well known bug that no host entries are
fully checked anyway, but this is by the by.
So I don't quite know how this is an exploit.
(*) = or I am.
Let's delve into the technical a bit, shall we? Host records are in place
so that authorization info can be associated with the hosts that are
registered as nameservers for a domain. One would expect that a host
registered with the Internic would at some point in time be listed as a
nameserver on an Internic domain name registration.
When a host is listed as a nameserver on an Internic domain name
registration, e.g. example.com, it is listed in the Internic zone, i.e.
.com, as a glue record. If your nameserver happens to resolve example.com
it will also learn the addresses from the glue records, thus if at some
later point in time one of your customers attempts to access
perhaps.youwant.to your nameserver will deliver the address learned from
the glue record and will not query the youwant.to domain nameserver.
I don't know whether these people actually did hijack the address of
perhaps.youwant.to or whether they were just preparing to do so. And I
don't know whether more recent versions of BIND can ignore glue records
which would mean that they only partially hijacked the host name.
Of course the Internic web pages claim that a host record can only be
changed by the technical contact of the domain in question. Since they
have no record in their database of a technical contact for youwant.to the
question is, why did they allow this info to be registered in the first
place?
Maybe I missed this somewhere, but has anyone tried contacting the people
listed as the contact of this host? I could be wrong, but I've seen
mangled submissions before, including a host template sent in when the
user meant to send in a domain template.
-- _______________
Chris Josephes __/ MRNet \
chrisj@mr.net __/ 612.362.5896
\________________/
A better question is: can a host with a .to domain name server as
anything other than a root server for a domain in .to? .to lookups to
the root are supposed to refer to the root servers for .to, no?
I shouldn't think that Internic ought to have _any_ bearing on stuff
that happens in .to; just because the King and his minions are
promoting themselves as "just like .com" does _not_ mean the mechanics
work that way.
Cheers,
-- jra