Hello all, The message below appeared in a mailing list from a member of my ALS. I don't myself know enough DNS mechanics to verify what the poster said. There is an allegation of domain hijacking in the mail which raised my attention. Can someone help verify if the complaint is legit? Thanks! - Evan -------- Original Message -------- I check www.infonec.ca for deals every once in a while. This week it hasn't been working reliably for me. Sometimes I get a web page that lets me buy domains from Network Solutions or renew the infonec.ca domain. I decided to track this down today. The status might have been different during the week. - dig www.infonec.ca gives me: ;; ANSWER SECTION: www.infonec.ca. 3548 IN CNAME www.infonec.com. www.infonec.com. 7134 IN A 209.62.72.173 ;; AUTHORITY SECTION: infonec.com. 55267 IN NS ns2.pendingrenewaldeletion.com. infonec.com. 55267 IN NS ns1.pendingrenewaldeletion.com. (This data comes from the look.ca name servers. If you walk the tree, the results are different and correct.) pendingrenewaldeletion.com. is a network solutions nameserver. 209.62.72.173 is a network solutions web server that offers domains (as described above). It seems odd to me that an Answer Section would include information about a domain name for which you didn't query (infonec.com). I would have thought that it belonged in the Additional Section. The TTL for the main answers is an hour or two -- reasonable. The TTLs for the authority section is questionable considering the authorities are wrong: over 15 hours. infonec.ca seem to be properly registered. It expires in 2018/02/19 so it is unlikely to have been recently renewed (any renewal would be for an integral number of years). The registrar is "Can Reg (Infinet Communications Group)" (not network solutions). Its name servers are dns0[12].tor.axxent.ca. dig @dns02.tor.pathcom.com. www.infonec.ca +tcp: ;; ANSWER SECTION: www.infonec.ca. 3600 IN CNAME www.infonec.com. www.infonec.com. 3600 IN A 207.188.71.50 ;; AUTHORITY SECTION: infonec.com. 3600 IN NS dns01.tor.axxent.ca. infonec.com. 3600 IN NS dns02.tor.axxent.ca. The CNAME says use www.infonec.com. Just like the one I get from look. But the rest is different. infonec.com seems to be properly registered. It expires in 25-apr-2017. The last update date is 02-may-2008 so maybe they let it expire and renewed it (with Network Solutions) yesterday. dig @ns1.pendingrenewaldeletion.com. www.infonec.ca +tcp: ;; ANSWER SECTION: www.infonec.ca. 7200 IN A 209.62.72.173 There was no Authority section. I wonder what that means. Apparently Network Solutions is still hijacking this AFTER they have their money. How is it that Network Solutions can take over a domain like this? If the domain had not expired, surely they would not have hijacked it. If it had expired, how can they legitimately take it over like this? If it is renewed, how can they ethically have a name server continue to hijack it? The offer to "renew this domain" is bogus since the web page was "www.infonec.ca" and not "infonec.com" and the page says on it "infonec.ca", a still-registered domain. Maybe look.ca's DNS is caching improperly. I really don't know/remember all the DNS rules. dig @ns1.pendingrenewaldeletion.com. madeupname73993.ca +tcp: [long pause] ;; ANSWER SECTION: madeupname73993.ca. 7200 IN A 209.62.72.173 (No authority section.) Hmmm. I guess that they hijack all names and give the same answer. That should make for a very fast lookup since no lookup is required. So why the long pause? Perhaps to grab the name I queried about? I guess that the resolver should ignore all answers where the authority section says *.pendingrenewaldeletion.com. Or perhaps where there is no authority section.