nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: A Deep Dive on the Recent Widespread DNS Hijacking

From: Ca By <cb.list6 () gmail com>
Date: Tue, 26 Feb 2019 05:35:18 -0800
On Tue, Feb 26, 2019 at 1:58 AM Bill Woodcock <woody () pch net> wrote:





On Feb 24, 2019, at 10:03 PM, Hank Nussbacher <hank () efes iucc ac il>

wrote:

Did you have a CAA record defined and if not, why not?


It’s something we’d been planning to do but, ironically, we’d been in the
process of switching to Let’s Encrypt, and they were one of the two CAs
whose process vulnerabilities the attackers were exploiting.  So, in this
particular case, it wouldn’t have helped.

I guess the combination of CAA with a very expensive, or very manual, CA,
might be an improvement.  But it’s still a band-aid on a bankrupt system.

We need to get switched over to DANE as quickly as possible, and stop
wasting effort trying to keep the CA system alive with ever-hackier
band-aids.

                                -Bill




DNS guy says the solution for insecure DNS is... wait for it.... more DNS
...
Previous By Date Next
Previous By Thread Next

Current thread: