An example is in order. Imagine that Example, Inc. has registered domains example.TLD and example2.TLD, and has identified NS1.example.TLD and NS2.example.TLD as the name servers for example.TLD. In TLD's zone file you would find the name server (NS) and A records (also called glue) for example.TLD, as follows:
example.TLD NS ns1.example2.TLD
example.TLD NS ns2.example2.TLD
example2.TLD NS ns1.example2.TLD
example2.TLD NS ns2.example2.TLD
.
.
.
ns1.example2.TLD A 10.0.1.53
ns2.example2.TLD A 10.0.2.53
Now, let's suppose example2.TLD is deleted from the TLD registry. This might occur if Example, Inc. fails to renew the registration for the domain. It might also occur if the domain was suspended because it had been associated with malicious activity (hold this thought). The registry operator (in concert with the sponsoring registrar) should remove the resource records associated with example2.TLD. Removing the glue records however would affect example.TLD since NS1.example2.TLD and NS2.example.TLD host example.TLD's zone. TLD has some options: rename the name server or make it an "orphan" (so labeled because the parent domain name no longer exists).
In the scenario I presented, *all* the resource records are managed by a single registry. The issue of orphans becomes more problematic when an organization registers domains in one registry and hosts name service in another. Additionally, name servers often host zone files for many domains, so removing glue records might interrupt name service for other domains that also used ns1.example2.TLD or ns2.example2.TLD to host zone files. Policies vary across GTLDs and CCTLDs, further compounding the problem. In cases where the domains involved are not in the same top level domain, the registry operators cannot know unless they are notified by registrar or registrant(s) involved in the name deletion.
Let's go back to that thought I asked you to hold. Imagine that a bad actor registers a bunch of phish domains in TLD *A*, and hosts them at a name server in TLD *B*. Now imagine that the parent domain is removed in the same manner as my example, as a result of a suspension action by a registrar. The orphaned name server is now an obscure corner from which other phishing domains can operate name service.
Preliminary results of study of the prevalence of this form of DNS abuse suggests that there is a correlation between malicious domains (in particular, fast flux attack domain) and orphaned name servers. This is an important problem to solve, and I'd love to hear your opinions on how to solve it.
Comments