nanog mailing list archives

Re: A Deep Dive on the Recent Widespread DNS Hijacking

From: Bill Woodcock <woody () pch net>
Date: Tue, 26 Feb 2019 11:46:32 -0800

On Feb 26, 2019, at 9:15 AM, Jacques Latour <Jacques.Latour () cira ca> wrote:
DNSSEC should of never been part of the domain registration process, it was because we didn’t have the CDS/CDNSKEY 
channel to automated the DS maintenance and bootstrap. But if you keep DNSSEC maintenance outside the registrar 
control then it can be effective tool (amongst other) in identifying hijacks.  Taking away he ability of the bad 
actors to disable DNSSEC via registrar control panel.
This is what happens when you have all your eggs in one basket and you loose the keys to your kingdom.


Agreed.  There’s absolutely no reason for registrars to be involved with DS records of zones they’re not signing.  And, 
for the same reason, there’s no reason for them to be involved with NS records, either, after an initial bootstrap.

                                -Bill

Attachment: signature.asc
Description: Message signed with OpenPGP

Current thread:

Re: a detour DANE, was A Deep Dive on the Recent Widespread DNS Hijacking, (continued)
- - - Re: a detour DANE, was A Deep Dive on the Recent Widespread DNS Hijacking Mark Andrews (Feb 27)
    - Re: a detour DANE, was A Deep Dive on the Recent Widespread DNS Hijacking bzs (Feb 27)
    - Re: a detour DANE, was A Deep Dive on the Recent Widespread DNS Hijacking Seth Mattinen (Feb 27)
    - Re: a detour DANE, was A Deep Dive on the Recent Widespread DNS Hijacking Mike Meredith (Feb 28)
    - Re: a detour DANE, was A Deep Dive on the Recent Widespread DNS Hijacking Måns Nilsson (Feb 28)
    - Re: a detour DANE, was A Deep Dive on the Recent Widespread DNS Hijacking Bjørn Mork (Feb 28)
    - Re: a detour DANE, was A Deep Dive on the Recent Widespread DNS Hijacking Mike Meredith (Feb 28)
    - Re: a detour DANE, was A Deep Dive on the Recent Widespread DNS Hijacking Måns Nilsson (Feb 28)
    - Re: DANE, was A Deep Dive on the Recent Widespread DNS Hijacking Töma Gavrichenkov (Feb 27)
    - RE: A Deep Dive on the Recent Widespread DNS Hijacking Jacques Latour (Feb 26)
    - Re: A Deep Dive on the Recent Widespread DNS Hijacking Bill Woodcock (Feb 26)
    - Re: A Deep Dive on the Recent Widespread DNS Hijacking Mark Andrews (Feb 26)
    - Re: A Deep Dive on the Recent Widespread DNS Hijacking Bill Woodcock (Feb 28)
  - Re: A Deep Dive on the Recent Widespread DNS Hijacking Bill Woodcock (Feb 24)
    - Re: A Deep Dive on the Recent Widespread DNS Hijacking Mark Andrews (Feb 24)
    - Re: A Deep Dive on the Recent Widespread DNS Hijacking Måns Nilsson (Feb 25)
    - Re: A Deep Dive on the Recent Widespread DNS Hijacking Tony Finch (Feb 25)
    - Re: A Deep Dive on the Recent Widespread DNS Hijacking Carl Byington via NANOG (Feb 26)