nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: A Deep Dive on the Recent Widespread DNS Hijacking

From: Måns Nilsson <mansaxel () besserwisser org>
Date: Mon, 25 Feb 2019 09:07:01 +0100
Subject: Re: A Deep Dive on the Recent Widespread DNS Hijacking Date: Mon, Feb 25, 2019 at 05:04:39PM +1100 Quoting 
Mark Andrews (marka () isc org):
 

I would also note that a organisation can deploy RFC 5011 for their own
zones and have their own equipment use DNSKEYs managed
using RFC 5011 for their own zones.  This isolates the organisation’s
equipment from the parent zone’s management practices.

I would also note that you can configure validating resolvers to expect
secure responses for parts of the namespace and to reject
insecure responses even when they validate as insecure.

 
One thing that immediately struck me upon reading the Krebs post was
that people got owned by having to downgrade the end-to-end model of
the Internet into Proxy-land. A hotel wifi. Probably only challenged by
"Free Wifi" in other spaces in its ability to demolish the Internet as
thought out and envisioned.
 
We can conclude in two different directions here; 

* We need to work on making the Internet more transparent to applications,
  and thus increasing security.

* We're all doomed anyway. DNSSEC is useless. 

Pick whichever you like. Our children will judge us. 
-- 
Måns Nilsson     primary/secondary/besserwisser/machina
MN-1334-RIPE           SA0XLR            +46 705 989668
My EARS are GONE!!

Attachment: signature.asc
Description:

Previous By Date Next
Previous By Thread Next

Current thread: