nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: A Deep Dive on the Recent Widespread DNS Hijacking

From: Ross Tajvar <ross () tajvar io>
Date: Mon, 25 Feb 2019 16:30:42 -0500
Speaking of registrars vs registries - I've noticed some companies have
become their own registrar to improve their domain security (Cloudflare,
Google, etc.). Is that a feasible path for smaller organizations? How much
risk does that mitigate? It seems like it gives the organization control
over more of the domain registration, which allows them to manage things
better than a typical registrar might. But credentials can be compromised
in either case.

Does anyone have any experience with that setup?

On Mon, Feb 25, 2019, 1:49 PM Owen DeLong <owen () delong com> wrote:





On Feb 25, 2019, at 09:25 , Paul Ebersman <list-nanog2 () dragon net>

wrote:


ebersman> If someone owns your registry account, you're screwed. And
ebersman> right now, it tends to be the most neglected part of the
ebersman> entire zone ownership world. Let's use this opportunity to
ebersman> help folks lock down their accounts, not muddying the waters
ebersman> with dubious claims.

Reread this and felt I should clarify that I realize that John and Doug
are not the ones saying DNSSEC is useless. I just hate to see the knee
jerk "oh, see, DNSSEC didn't save the day so it's obviously
useless". Let's give the world a better explanation.


@Paul — I think you meant “registrar account” rather than “registry
account”
since most domain holders don’t have registry accounts. Registry accounts
are
primarily held by registrars. If someone owns a registrar’s registry
account, then
all of their customers (and potentially many many others) are screwed.

Owen
Previous By Date Next
Previous By Thread Next

Current thread: