Afilias to Protect Tlds Against Potential “Orphan Glue” Exploits

Afilias has informed registrars and registry clients that it is taking steps to remove orphan glue records from 200+ TLD zones in its care. This will eliminate the potential for a handful of domain names to be misused. 

“Glue records” enable websites and other uses of domain names to work on the internet. They are related to DNS domain name delegations and are necessary to guide iterative resolvers to delegated nameservers. A glue record becomes an orphan when its parent nameserver record is removed from the DNS but the corresponding glue record remains. (See ICANN’s Security and Stability Advisory Committee’s (SSAC) SAC048 for a detailed explanation.)  While some orphan glue is always expected to exist, e.g., when the parent domain is suppressed from publication in the DNS in the course of normal registry operations, we would expect the number of such records to be relatively small.

Following information passed on by responsible sources, graduate students Gautam Akiwate at UC San Diego and Raffaele Sommese at University of Twente, Afilias identified a handful of domain names among the 20 million names we support that relied upon orphan glue records that have no corresponding parent domain in the registry.  These records persisted after the parent nameserver records were deleted, as part of the normal deletion of a domain name. Theoretically, the deleted names could be re-registered for nefarious purposes and redirect queries to an unintended destination. The possibility of such a case led us to take immediate action. 

Afilias’ plan is to remove all such problematic orphan glue records and adjust security settings to prohibit the persistence of such records when names are deleted in the future.

Afilias has notified registrars so they can inform the few domain owners who currently rely on orphan glue records to make appropriate adjustments immediately. Registry operators need take no action.