Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Comodo DNS hiccup on usertrust.com - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Comodo DNS hiccup on usertrust.com


We received a report from a reader (thanks Marco!) that earlier today, "usertrust.com", a domain used by Comodo CA, apparently was pointing elsewhere for a while.  From information captured by passive DNS sensors, it indeed looks like the NS records were changed to "ns1.pendingrenewaldeletion.com" and the A records were changed to point to 208.91.197.132, both indicative of a domain that has been "parked" by Network Solutions. Two hours later, the DNS records were updated again, and pointed back to Comodo.  Given that the registration record on Network Solutions' WHOIS shows a renewal date of December 5 for the usertrust.com domain, it is probably fair to assume that "something" went wrong in the renewal.

 


 

Daniel

367 Posts
ISC Handler
- http://centralops.net/co/DomainDossier.aspx
USERTRUST.COM ...
Record expires on 04-Dec-2017.
Record created on 05-Dec-1997.
Database last updated on 6-Dec-2012 14:52:26 EST.
.
Jack

160 Posts
> Given that the registration record on Network Solutions' WHOIS shows a renewal date of December 5 for the usertrust.com domain, it is probably fair to assume that "something" went wrong in the renewal.

I think that the only thing that went "wrong" is that the contact-person for the domain ignored the "your-domain-registration-is-about-to-expire" E-mail (or that the listed contact-person no longer works for the company (or is on a long leave/vacation), and no Pointy-Hair-Boss thought to update the contact-information to point to the newly-hired replacement.

So, when the registration expired, some "automation" kicked-in, and changed the registration-information to the values that you cited.

Then, when DNS-caches flushed (Timt-To-Live expiry), and the owner of the domain could see the difference, a quick credit-card transaction kicked-off a "reversion" of the domain-registration, and reactivated it for a long time.

In 10 years, I wonder if the current contact-person for the domain-registration will be retired/out-placed/moved-on/head-hunted.

Moral of the story: check your domain-registration, more than once every 10 or 15 years!

Anonymous

Sign Up for Free or Log In to start participating in the conversation!