Can a TLD operator (not registrar) maliciously change the DNS resolution of a domain with that TLD?

Question

Say a company successfully applied to IANA to make .bob a Top-level domain and the company now operates the registry of every domain with .bob as the TLD. If the comany is under an authoritarian government with a track record of manipulating the Internet infrastructure, can a domain target.bob be hijacked so that it gets resolved to a server the government owns, instead of going through the name server the domain owner specified? Will DNSSEC help?

Answer 1

Yes, technically any node in the DNS tree can pervert everything below. But, especially at the TLD level it will be akin to a move with a nuke, it will be seen quickly and draw lots of actions and consequences.

You may want to go back at the Verisign Sitefinder fiasco. Not exactly the case you describe but very similar. It generated two consequences:

• contractually, gTLD registries at least because under contract with ICANN are now prevented to do things like that
• technically, there are safeguards, see for example root-delegation-only in bind that means exactly that (for both root and TLDs) to ensure there is no "hijacks".

And DNSSEC can help, but in a limited way. Because in your case even if the domain is properly delegated and DNSSEC secured before the hijack, it means the registry has and published the DS record, so once the hijack happens those DS records can be hijacked as well, or just removed, and end resolvers will see the change but just with that can not detect really a problem nor work around it.

Note that in your case of "authoritarian government" they don't even need to go to the registry and the authoritative nameservers. They can force things at the recursive state also, forcing ISPs. And it completely happens today, and even in non authoritarian government: various names are, by law or judge, forbidden to be resolved. Sometimes it happens at registry side (see Microsoft seizing domains recently - and regularly - at https://arstechnica.com/information-technology/2021/12/microsoft-seizes-domains-used-by-highly-sophisticated-hackers-in-china/), and sometimes at resolver (this the recent judgment against Quad9 a big public recursive nameserver service: https://www.quad9.net/news/blog/quad9-and-sony-music-german-injunction-status/)

Also, side technical note: in the DNS a dot does not mean necessarily a delegation, and both sides can be administratively and technically handled by a single party. For example gouv.fr and fr are technically and administratively handled by the same entity, there is no delegation nor hijack.