[maaaats]

He hasn't injected anything. It's just his public DNS record that this page has chosen to display without sanitizing.

[pbhjpbhj]

I imagine the UK Computer Misuse Act (eg at Section 3, http://www.legislation.gov.uk/ukpga/1990/18) probably covers it if the person who altered the TXT field does so to cause websites to load code on purpose, that purpose being for example to impair (Section 3(2)(a)) the running of the computer [causing Rick Astley to play, defo counts!] - but it can be read to cover pretty much anything.

Similarly I imagine something like the CFAA (18 USC 1030) probably has broad enough clauses to make this sort of action technically illegal, at least in some cases? But I'm out of my depth on that one.

[r0m4n0]

at least the UK has something somewhat specific (and actually fits XSS quite well).

CA 502c just says: "(3) Knowingly and without permission uses or causes to be used computer services" amongst other very broad subsections

http://support.piercecollege.edu/1521a/References/California...