Home / Blogs

Afilias to Protect TLDs Against Potential "Orphan Glue" Exploits

Afilias has informed registrars and registry clients that it is taking steps to remove orphan glue records from 200+ TLD zones in its care. This will eliminate the potential for a handful of domain names to be misused. 

"Glue records" enable websites and other uses of domain names to work on the internet. They are related to DNS domain name delegations and are necessary to guide iterative resolvers to delegated nameservers. A glue record becomes an orphan when its parent nameserver record is removed from the DNS but the corresponding glue record remains. (See ICANN's Security and Stability Advisory Committee's (SSAC) SAC048 for a detailed explanation.) While some orphan glue is always expected to exist, e.g., when the parent domain is suppressed from publication in the DNS in the course of normal registry operations, we would expect the number of such records to be relatively small.

Following information passed on by responsible sources, graduate students Gautam Akiwate at UC San Diego and Raffaele Sommese at University of Twente, Afilias identified a handful of domain names among the 20 million names we support that relied upon orphan glue records that have no corresponding parent domain in the registry. These records persisted after the parent nameserver records were deleted, as part of the normal deletion of a domain name. Theoretically, the deleted names could be re-registered for nefarious purposes and redirect queries to an unintended destination. The possibility of such a case led us to take immediate action. 

Afilias' plan is to remove all such problematic orphan glue records and adjust security settings to prohibit the persistence of such records when names are deleted in the future.

Afilias has notified registrars so they can inform the few domain owners who currently rely on orphan glue records to make appropriate adjustments immediately. Registry operators need take no action.

By Dr. James Galvin, Director, Technical Standards and Strategic Relationships at Afilias – Dr. Galvin is a key leader of the Afilias technical team with over 25 years of Internet standards and policies development experience. Visit Page

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Comments

Good initiative By Karl Auerbach  –  Aug 11, 2020 4:06 pm PST

Over the years I've left my share of orphaned glue.  Registrar tools are not really adequate for me (and I presume others) to remember and clean-up the servers I once used but forgot.

I've noticed a lot of attack traffic coming in via my live NS records.  I've never tracked what's hitting my past ones.

The registrars I've dealt with don't even By Todd Knarr  –  Aug 11, 2020 8:12 pm PST

The registrars I've dealt with don't even provide tools for domain owners to manage the glue records directly. You fill in the NS records and the back-end software fills in the necessary A/AAAA records automatically. I was under the impression even high-end enterprise services did the same in the name of ease-of-use, depending on having at least one out-of-zone nameserver to bootstrap the lookups for in-zone nameservers.

In general, as a registrant, you shouldn't By Dr. James Galvin  –  Aug 12, 2020 10:51 am PST

In general, as a registrant, you shouldn't need to worry about the glue records.  As you point out, it's straightforward enough for a registrar to manage this for you with the registry.  Having out-of-zone nameservers is something you have to do for yourself though, and the best way to do this is with two domains you own that "depend" on each other, including the contact information.  Otherwise, you don't know the status of the glue of the nameservers you don't control and that can be a serious risk.

I think the normal case is out-of-zone By Todd Knarr  –  Aug 12, 2020 9:10 pm PST

I think the normal case is out-of-zone nameservers, since even most enterprises have their primary DNS through a service like CloudFlare rather than hosting their own nameservers (at least for external use, internally it's likely to be an AD domain not directly accessible outside the corporate network and the state of the global DNS won't matter). In those cases orphan glue won't be a problem since the DNS provider's unlikely to let their own domain expire undetected. It seems like the primary vulnerable parties would be companies that for whatever reason don't use their DNS provider's nameservers by name but create A/AAAA records for them in one of their own domains and point those records at IP addresses provided by the DNS provider.

My immediate thought is that the only completely safe response is for the TLD operator to remove any glue records for hosts in a domain that's being removed and to notify the other registry operators so they can do the same. Delaying the removal for a short time so the affected domains can be warned would be nice, but anything other than removal is going to leave the affected domains subject to being hijacked as you noted. I think this is one of those cases (all too frackking common these days) where the faster you get the pain out of the way for the subject the better off everyone will be.

Just for reader clarity, it's not the By Dr. James Galvin  –  Aug 12, 2020 10:39 am PST

Just for reader clarity, it's not the use of the NS record that determines whether or not it's an orphan, it's the absence of the parent domain that makes it an orphan.  If you're using your own domains for your nameserver names then they are not orphans, unless those domains are no longer registered.  The security threat is to re-register the missing parent domain, in which case traffic could be redirected and you wouldn't see it.

Add Your Comments

 To post your comments, please login or create an account.

Related

Topics

IP Addressing

Sponsored byIPv4.Global

New TLDs

Sponsored byAfilias

Cybersecurity

Sponsored byVerisign

Cybercrime

Sponsored byThreat Intelligence Platform

Whois

Sponsored byWhoisXML API

Domain Names

Sponsored byVerisign

Brand Protection

Sponsored byAppdetex

DNS Security

Sponsored byAfilias