nanog mailing list archives

Re: A Deep Dive on the Recent Widespread DNS Hijacking

From: Mark Andrews <marka () isc org>
Date: Mon, 25 Feb 2019 17:04:39 +1100

On 25 Feb 2019, at 4:34 pm, Bill Woodcock <woody () pch net> wrote:

On Feb 24, 2019, at 5:51 PM, Keith Medcalf <kmedcalf () dessus com> wrote:

That they also "forgot" to disable DNSSEC on PCH is not particularly relevant.  It only goes to prove my point that 
DNSSEC is irrelevant and only gives a false sense of security (for this particular attack vector).


For those watching from the sidelines, This guy is perfectly encapsulating one of the arguments that seem to pop up 
in the wake of attacks: “What actually happened is irrelevant, because I can imagine other things that could 
hypothetically have happened, but didn’t, which would have reinforced my view of the world.”

I can’t say that I understand the psychology behind people thinking this way, but as we’re choosing to be transparent 
about our experience for the benefit of others, I thought I’d highlight this particular quirk, as Mr. Medcalf is far 
from alone (not about DNSSEC specifically, but apparently attacks bring people with all manner of chips on their 
shoulders out of the woodwork).  It’s a particularly self-defeating logical fallacy, so being aware of it is the 
first step to recognizing it and avoiding it.

                               -Bill


I would also note that a organisation can deploy RFC 5011 for their own zones and have their own equipment use DNSKEYs 
managed using RFC 5011 for their own zones.  This isolates the organisation’s equipment from the parent zone’s 
management practices.

I would also note that you can configure validating resolvers to expect secure responses for parts of the namespace and 
to reject insecure responses even when they validate as insecure.

An organisation can also deploy DLV for their own zones using their own registry.  While the current code DLV 
validating code is only invoked when the response validates as insecure, there is nothing preventing a policy which 
says that DLV trumps or must also validate for entries in a registry.  At this stage is would be a minor code change to 
add such policy knobs.  DLV is a just a in-band way of distributing trust anchors.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka () isc org

Current thread:

Re: a detour DANE, was A Deep Dive on the Recent Widespread DNS Hijacking, (continued)
- - - Re: a detour DANE, was A Deep Dive on the Recent Widespread DNS Hijacking Måns Nilsson (Feb 28)
    - Re: a detour DANE, was A Deep Dive on the Recent Widespread DNS Hijacking Bjørn Mork (Feb 28)
    - Re: a detour DANE, was A Deep Dive on the Recent Widespread DNS Hijacking Mike Meredith (Feb 28)
    - Re: a detour DANE, was A Deep Dive on the Recent Widespread DNS Hijacking Måns Nilsson (Feb 28)
    - Re: DANE, was A Deep Dive on the Recent Widespread DNS Hijacking Töma Gavrichenkov (Feb 27)
    - RE: A Deep Dive on the Recent Widespread DNS Hijacking Jacques Latour (Feb 26)
    - Re: A Deep Dive on the Recent Widespread DNS Hijacking Bill Woodcock (Feb 26)
    - Re: A Deep Dive on the Recent Widespread DNS Hijacking Mark Andrews (Feb 26)
    - Re: A Deep Dive on the Recent Widespread DNS Hijacking Bill Woodcock (Feb 28)
  - Re: A Deep Dive on the Recent Widespread DNS Hijacking Bill Woodcock (Feb 24)
    - Re: A Deep Dive on the Recent Widespread DNS Hijacking Mark Andrews (Feb 24)
    - Re: A Deep Dive on the Recent Widespread DNS Hijacking Måns Nilsson (Feb 25)
    - Re: A Deep Dive on the Recent Widespread DNS Hijacking Tony Finch (Feb 25)
    - Re: A Deep Dive on the Recent Widespread DNS Hijacking Carl Byington via NANOG (Feb 26)