nanog mailing list archives

Re: DNS hijack?

From: William Herrin <bill () herrin us>
Date: Fri, 12 Nov 2021 15:13:57 -0800

On Fri, Nov 12, 2021 at 3:09 PM Rubens Kuhl <rubensk () gmail com> wrote:

DNSSEC would help here.   NetSol's rogue nameserver wouldn't be able to produce
the signed zone if validation were required.


Nope, they could just remove the DS since they are the registrar for that domain. DNSSEC only protects against a DNS 
provider going rogue, not your own hired registrar.



DNSSEC would help DNS for the non-expired domain because the rogue
server would not have the key.

To my mind, though, Netsol's server should not be responding with
authoritative answers to random domains that aren't assigned to it.
That it does makes me think it's a good candidate for black-holing in
the routing system.

Regards,
Bill Herrin



-- 
William Herrin
bill () herrin us
https://bill.herrin.us/

Current thread:

Re: DNS hijack?, (continued)
- - - Re: DNS hijack? William Herrin (Nov 12)
    - Re: DNS hijack? Matthew Petach (Nov 12)
    - Re: DNS hijack? Jeff Shultz (Nov 12)
    - Re: DNS hijack? Robert L Mathews (Nov 12)
    - Re: DNS hijack? Jim (Nov 13)
- Re: DNS hijack? Richard (Nov 12)
  - Re: DNS hijack? Stephane Bortzmeyer (Nov 12)
    - Re: DNS hijack? Jeff Shultz (Nov 12)
    - Re: DNS hijack? Jim (Nov 12)
    - Re: DNS hijack? Rubens Kuhl (Nov 12)
    - Re: DNS hijack? William Herrin (Nov 12)
    - Re: DNS hijack? Stephane Bortzmeyer (Nov 13)
    - Re: DNS hijack? Nick Hilliard (Nov 13)