nanog mailing list archives
Re: A Deep Dive on the Recent Widespread DNS Hijacking
From: valdis.kletnieks () vt edu
Date: Mon, 25 Feb 2019 15:36:41 -0500
On Mon, 25 Feb 2019 12:14:59 -0700, Paul Ebersman said:
ekuhnke> One thing to consider with authentication for domain registrar ekuhnke> accounts: ekuhnke> DO NOT USE 2FA VIA SMS. Yup. This is a good example of what I'm advocating. Just saying "use 2FA" or "use DNSSEC" or "have a CAA" isn't sufficient detail to make informed decisions of risk/effort/reward tradeoffs. Simplistic suggestions without details or context isn't doing anyone any favors. That said, even SMS 2FA is better than no 2FA. Barely. Just like forcing lousy passwords is better than no password but still not a best practice.
Feel free to suggest a workable 2FA. Personally, I use a Yubikey where I can. Oath seems to be a reasonable approach for technically minded people, but I'm not sure that it scales well to the people who own the long tail domains in the 40 million .coms. I can get oathtool to behave the way I want, but I'm not sure the owner of joes-bait-tackle-and-gunshop.com will be able to deal with it. Unless you get it down to the SMS "wait for a msg, type in the 6 digit number" level, it's going to be a tough start...
Current thread:
- Re: A Deep Dive on the Recent Widespread DNS Hijacking, (continued)
- Re: A Deep Dive on the Recent Widespread DNS Hijacking Ca By (Feb 24)
- Re: A Deep Dive on the Recent Widespread DNS Hijacking Mark Andrews (Feb 24)
- Re: A Deep Dive on the Recent Widespread DNS Hijacking John Levine (Feb 24)
- Re: A Deep Dive on the Recent Widespread DNS Hijacking Töma Gavrichenkov (Feb 24)
- Re: A Deep Dive on the Recent Widespread DNS Hijacking Paul Ebersman (Feb 25)
- Re: A Deep Dive on the Recent Widespread DNS Hijacking Paul Ebersman (Feb 25)
- Re: A Deep Dive on the Recent Widespread DNS Hijacking Sander Steffann (Feb 25)
- Re: A Deep Dive on the Recent Widespread DNS Hijacking Owen DeLong (Feb 25)
- Re: A Deep Dive on the Recent Widespread DNS Hijacking Eric Kuhnke (Feb 25)
- Re: A Deep Dive on the Recent Widespread DNS Hijacking Paul Ebersman (Feb 25)
- Re: A Deep Dive on the Recent Widespread DNS Hijacking valdis . kletnieks (Feb 25)
- Re: A Deep Dive on the Recent Widespread DNS Hijacking Paul Ebersman (Feb 25)
- Re: A Deep Dive on the Recent Widespread DNS Hijacking valdis . kletnieks (Feb 25)
- Re: A Deep Dive on the Recent Widespread DNS Hijacking Eric Kuhnke (Feb 25)
- Re: A Deep Dive on the Recent Widespread DNS Hijacking Hunter Fuller (Feb 25)
- Re: 2FA, was A Deep Dive on the Recent Widespread DNS Hijacking John Levine (Feb 25)
- Re: 2FA, was A Deep Dive on the Recent Widespread DNS Hijacking Rubens Kuhl (Feb 25)
- RE: 2FA, was A Deep Dive on the Recent Widespread DNS Hijacking Keith Medcalf (Feb 25)
- Re: 2FA, was A Deep Dive on the Recent Widespread DNS Hijacking Job Snijders (Feb 25)
- Re: 2FA, was A Deep Dive on the Recent Widespread DNS Hijacking Seth Mattinen (Feb 26)
- Re: 2FA, was A Deep Dive on the Recent Widespread DNS Hijacking valdis . kletnieks (Feb 26)