The .gov is the United States Government’s domain run by dotgov.gov which is part of the General Services Administration. This top-level domain is home to such entities as cia.gov, fbi.gov and everyone’s favorite spy agency nsa.gov.
I was taking my stroll down the internet when I noticed a peculiar thing the yesterday, let us see if you notice it too:
ross@maui:~$ dig @a.root-servers.net gov. ns ; <<>> DiG 9.7.1-P2 <<>> @a.root-servers.net gov. ns ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6981 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 7, ADDITIONAL: 7 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;gov. IN NS ;; AUTHORITY SECTION: gov. 172800 IN NS g.usadotgov.net. gov. 172800 IN NS a.usadotgov.net. gov. 172800 IN NS b.usadotgov.net. gov. 172800 IN NS d.usadotgov.net. gov. 172800 IN NS f.usadotgov.net. gov. 172800 IN NS c.usadotgov.net. gov. 172800 IN NS e.usadotgov.net. ;; ADDITIONAL SECTION: a.usadotgov.net. 172800 IN A 22.214.171.124 b.usadotgov.net. 172800 IN A 126.96.36.199 c.usadotgov.net. 172800 IN A 188.8.131.52 d.usadotgov.net. 172800 IN A 184.108.40.206 e.usadotgov.net. 172800 IN A 220.127.116.11 f.usadotgov.net. 172800 IN A 18.104.22.168 g.usadotgov.net. 172800 IN A 22.214.171.124 ;; Query time: 37 msec ;; SERVER: 126.96.36.199#53(188.8.131.52) ;; WHEN: Tue Jan 4 07:09:30 2011 ;; MSG SIZE rcvd: 258
If you noticed that the authoritative name servers for .gov are [a-g].usadotgov.net you are correct. Why would you use a .net domain which anyone can own, to be referenced as your authoritative name servers for .gov which is severely restricted and can only be registered/maintained through dotgov.gov. Now, lets look at usadotgov.net which is a real domain:
ross@maui:~$ whois usadotgov.net
Whois Server Version 2.0
Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.
Domain Name: USADOTGOV.NET
Registrar: GODADDY.COM, INC.
Whois Server: whois.godaddy.com
Referral URL: http://registrar.godaddy.com
Name Server: DNSSEC10.DATAMTN.COM
Name Server: DNSSEC11.DATAMTN.COM
Name Server: DNSSEC12.DATAMTN.COM
Name Server: DNSSEC14.DATAMTN.COM
Name Server: DNSSEC7.DATAMTN.COM
Name Server: DNSSEC9.DATAMTN.COM
Updated Date: 13-aug-2009
Creation Date: 27-jul-2009
Expiration Date: 27-jul-2014
>>> Last update of whois database: Tue, 04 Jan 2011 07:12:14 UTC <<<
NOTICE: The expiration date displayed in this record is the date the
registrar’s sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant’s agreement with the sponsoring
registrar. Users may consult the sponsoring registrar’s Whois database to
view the registrar’s reported date of expiration for this registration.
database through the use of electronic processes that are high-volume and
automated except as reasonably necessary to register domain names or
modify existing registrations; the Data in VeriSign Global Registry
Services’ (“VeriSign”) Whois database is provided by VeriSign for
information purposes only, and to assist persons in obtaining information
about or related to a domain name registration record. VeriSign does not
guarantee its accuracy. By submitting a Whois query, you agree to abide
for lawful purposes and that under no circumstances will you use this Data
to: (1) allow, enable, or otherwise support the transmission of mass
unsolicited, commercial advertising or solicitations via e-mail, telephone,
or facsimile; or (2) enable high volume, automated, electronic processes
that apply to VeriSign (or its computer systems). The compilation,
repackaging, dissemination or other use of this Data is expressly
prohibited without the prior written consent of VeriSign. You agree not to
use electronic processes that are automated and high-volume to access or
query the Whois database except as reasonably necessary to register
domain names or modify existing registrations. VeriSign reserves the right
to restrict your access to the Whois database in its sole discretion to ensure
operational stability. VeriSign may restrict or terminate your access to the
reserves the right to modify these terms at any time.
The Registry database contains ONLY .COM, .NET, .EDU domains and
The data contained in GoDaddy.com, Inc.’s WhoIs database,
while believed by the company to be reliable, is provided “as is”
with no guarantee or warranties regarding its accuracy. This
information is provided for the sole purpose of assisting you
in obtaining information about domain name registration records.
Any use of this data for any other purpose is expressly forbidden without the prior written
permission of GoDaddy.com, Inc. By submitting an inquiry,
you agree to these terms of usage and limitations of warranty. In particular,
you agree not to use this data to allow, enable, or otherwise make possible,
dissemination or collection of this data, in part or in its entirety, for any
purpose, such as the transmission of unsolicited advertising and
and solicitations of any kind, including spam. You further agree
not to use this data to enable high volume, automated or robotic electronic
processes designed to collect or compile this data for any purpose,
including mining this data for your own personal or commercial purposes.
Please note: the registrant of the domain name is specified
in the “registrant” field. In most cases, GoDaddy.com, Inc.
is not the registrant of domain names listed in this database.
General Services Administration
10304 Eaton Place
Attn QTDC, 2E08
Fairfax, Virginia 22030
Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
Domain Name: USADOTGOV.NET
Created on: 27-Jul-09
Expires on: 27-Jul-14
Last Updated on: 13-Aug-09
Domain servers in listed order:
This real domain has records which are listed for .gov’s name servers and is registered at GoDaddy of all places and uses name servers based outside the USA (if you don’t believe me traceroute to DNSSEC7.DATAMTN.COM) provided by a third party. For those of you who aren’t familiar GoDaddy is the largest domain registrar in the world and where a number domain thefts take place (just due to their sheer size). If you were to do something like this you might at the very least go with a company that specializes in protecting high value domains like Mark Monitor or CSC Global.
So what is the issue here, why are you writing about this?
Well if someone can get into that GoDaddy account where usadotgov.net is registered, they can modify/transfer/push that domain (it has happened to high profile domains before [to note baidu.com is now at MarkMonitor]). From there they can do anything they want such as changing usadotgov.net’s glue records for the a-g.usadotgov.net name servers redirecting lookups for .gov (yes all the .gov domains like cia.gov, fbi.gov, nsa.gov, etc.) to other servers. From there they could modify records for .gov domains as they see fit. Alternatively they could just remove the glue records and name servers for usadotgov.net and the .gov domain would go dark. There are many possibilities here like maybe just changing one glue record (or just adding a second ip to it) to siphon off traffic to just some records you want to modify e.g. change the doj.gov’s mail server record add a second ip to sniff mail (then forward it on of course) going to the Department of Justice. Any of the endless possibilities scare me.
Why did this happen?
You would have to ask the General Service Administration and dotgov.gov administrators of why they put one of the most valuable top-level domains at risk but I do have a theory. If you look at usadotgov.net it was registered in July, 2009 and has nameservers of *.datamtn.com. If you look at http://www.datamtn.com you’ll notice they offer DNSSEC services, if you go on www.dotgov.gov you’ll notice they said they just deployed DNSSEC. So my guess is that the GSA contracted with Data Mountain Solutions to deploy DNSSEC and this is what we got.
Well, I hope someone in charge at dotgov.gov goes on to change this back so .gov is served exclusively by a domain ending in .gov for a bit better security, kind of like .mil is.
Let me know if you have any questions/comment/worries and if you need to get in touch with me please use the contact form.
You’ll notice nic.gov and datagov.gov use the same *.datamtn.com domain servers to resolve their names. Not sure if I would really want a private third party running the domain name servers for the registrar.gov, especially with name servers outside of the USA.
Derek McUmber pointed out a good point that IANA actually glues the records of a.usadotgov.net in the root zone via http://www.iana.org/domains/root/tld-change-template.txt
Derek and I had a good talk on the phone and some things I brought up are that if the domain usadotgov.net does get hijacked and the person does fiddle with things it could cause some issues if you are using a non-verifying DNSSEC resolver (not only this but .net domains can’t be signed at the registry yet) but the question becomes does the resolver go to the root or the .net for the information for a.usadotgov.net and do all resolvers work the same. What he was trying to convey is that since the records are signed and the government uses verfying resolvers there should be no issues.
I also brought up the fact that a country could send back spoofed records from the root servers as has happened before. If I can spoof a.usadotgov.net and look like I’m answering from l.root-servers.net then what happens. Hopefully this will all go away as DNSSEC is more widely deployed.
I asked Paul Vixie the question below as I didn’t want to keep going back and forth on the issue.
“I guess my question is what happens to .org if usadotgov.net is hijacked, what damage can truly be done.”
Such a hijacker could make any .gov name say anything they wanted it to say, as long as the software looking up the bad data wasn’t dnssec-aware.