.io Registrar almost lost control of their Domains
Matthew Bryant, a researcher, was able to successfully take over the entire .io TLD after a slip-up by its operating registry left authoritative name servers freely available. Authoritative name servers are DNS servers that control resolution of all domains for a given zone, in this case “.io”. These name servers are a vital part of the DNS system which controls where requests are routed.
The mistake was noticed by Bryant earlier this month while conducting scans of DNS servers (he has a history of finding security vulnerabilities with other TLDs). He found one of .io’s authoritative name servers was available to register. This essentially gives you complete control of the zone because you can now control what IP address any domain routes to.
This is a major security vulnerability because requests for anysite.io could be routed to any server while still appearing to be the correct domain. This could also be used in a denial of service attack to make .io sites inaccessible.
Upon further investigation, Bryant was able to register the domains used by 4 of the 7 authoritative nameservers for the .io TLD. Those domains had been available and available to register by anyone willing to pay the $90 registration fee.
The error has highlighted just how much trust and vulnerability lies with registries, a fact often ignored when we choose to use “vanity” domains, which are often operated by smaller and poorly managed registries.