Comodo DNS hiccup on usertrust.com - SANS Internet Storm Center

Comodo DNS hiccup on usertrust.com
We received a report from a reader (thanks Marco!) that earlier today, "usertrust.com", a domain used by Comodo CA, apparently was pointing elsewhere for a while. From information captured by passive DNS sensors, it indeed looks like the NS records were changed to "ns1.pendingrenewaldeletion.com" and the A records were changed to point to 208.91.197.132, both indicative of a domain that has been "parked" by Network Solutions. Two hours later, the DNS records were updated again, and pointed back to Comodo. Given that the registration record on Network Solutions' WHOIS shows a renewal date of December 5 for the usertrust.com domain, it is probably fair to assume that "something" went wrong in the renewal.	Daniel 367 Posts ISC Handler
Reply Subscribe	Dec 6th 2012 6 years ago
- http://centralops.net/co/DomainDossier.aspx USERTRUST.COM ... Record expires on 04-Dec-2017. Record created on 05-Dec-1997. Database last updated on 6-Dec-2012 14:52:26 EST. .	Jack 160 Posts
Reply Quote	Dec 6th 2012 6 years ago
> Given that the registration record on Network Solutions' WHOIS shows a renewal date of December 5 for the usertrust.com domain, it is probably fair to assume that "something" went wrong in the renewal. I think that the only thing that went "wrong" is that the contact-person for the domain ignored the "your-domain-registration-is-about-to-expire" E-mail (or that the listed contact-person no longer works for the company (or is on a long leave/vacation), and no Pointy-Hair-Boss thought to update the contact-information to point to the newly-hired replacement. So, when the registration expired, some "automation" kicked-in, and changed the registration-information to the values that you cited. Then, when DNS-caches flushed (Timt-To-Live expiry), and the owner of the domain could see the difference, a quick credit-card transaction kicked-off a "reversion" of the domain-registration, and reactivated it for a long time. In 10 years, I wonder if the current contact-person for the domain-registration will be retired/out-placed/moved-on/head-hunted. Moral of the story: check your domain-registration, more than once every 10 or 15 years!	Anonymous
Reply Quote	Dec 7th 2012 6 years ago

We received a report from a reader (thanks Marco!) that earlier today, "usertrust.com", a domain used by Comodo CA, apparently was pointing elsewhere for a while. From information captured by passive DNS sensors, it indeed looks like the NS records were changed to "ns1.pendingrenewaldeletion.com" and the A records were changed to point to 208.91.197.132, both indicative of a domain that has been "parked" by Network Solutions. Two hours later, the DNS records were updated again, and pointed back to Comodo. Given that the registration record on Network Solutions' WHOIS shows a renewal date of December 5 for the usertrust.com domain, it is probably fair to assume that "something" went wrong in the renewal.

Daniel

367 Posts
ISC Handler

- http://centralops.net/co/DomainDossier.aspx
USERTRUST.COM ...
Record expires on 04-Dec-2017.
Record created on 05-Dec-1997.
Database last updated on 6-Dec-2012 14:52:26 EST.
.

Jack

160 Posts

> Given that the registration record on Network Solutions' WHOIS shows a renewal date of December 5 for the usertrust.com domain, it is probably fair to assume that "something" went wrong in the renewal.

I think that the only thing that went "wrong" is that the contact-person for the domain ignored the "your-domain-registration-is-about-to-expire" E-mail (or that the listed contact-person no longer works for the company (or is on a long leave/vacation), and no Pointy-Hair-Boss thought to update the contact-information to point to the newly-hired replacement.

So, when the registration expired, some "automation" kicked-in, and changed the registration-information to the values that you cited.

Then, when DNS-caches flushed (Timt-To-Live expiry), and the owner of the domain could see the difference, a quick credit-card transaction kicked-off a "reversion" of the domain-registration, and reactivated it for a long time.

In 10 years, I wonder if the current contact-person for the domain-registration will be retired/out-placed/moved-on/head-hunted.

Moral of the story: check your domain-registration, more than once every 10 or 15 years!

Anonymous