nanog mailing list archives

Re: A Deep Dive on the Recent Widespread DNS Hijacking

From: Bill Woodcock <woody () pch net>
Date: Tue, 26 Feb 2019 01:56:34 -0800

On Feb 24, 2019, at 10:03 PM, Hank Nussbacher <hank () efes iucc ac il> wrote:
Did you have a CAA record defined and if not, why not?


It’s something we’d been planning to do but, ironically, we’d been in the process of switching to Let’s Encrypt, and 
they were one of the two CAs whose process vulnerabilities the attackers were exploiting.  So, in this particular case, 
it wouldn’t have helped.

I guess the combination of CAA with a very expensive, or very manual, CA, might be an improvement.  But it’s still a 
band-aid on a bankrupt system.

We need to get switched over to DANE as quickly as possible, and stop wasting effort trying to keep the CA system alive 
with ever-hackier band-aids.

                                -Bill

Attachment: signature.asc
Description: Message signed with OpenPGP

Current thread:

Re: 2FA, was A Deep Dive on the Recent Widespread DNS Hijacking, (continued)
- - - Re: 2FA, was A Deep Dive on the Recent Widespread DNS Hijacking Hunter Fuller (Feb 26)
    - Re: 2FA, was A Deep Dive on the Recent Widespread DNS Hijacking Ross Tajvar (Feb 26)
    - Re: A Deep Dive on the Recent Widespread DNS Hijacking Saku Ytti (Feb 26)
    - Re: A Deep Dive on the Recent Widespread DNS Hijacking Tony Finch (Feb 26)
    - Re: A Deep Dive on the Recent Widespread DNS Hijacking Paul Ebersman (Feb 25)
    - Re: A Deep Dive on the Recent Widespread DNS Hijacking Ross Tajvar (Feb 25)
    - Re: A Deep Dive on the Recent Widespread DNS Hijacking Bill Woodcock (Feb 24)
    - Re: A Deep Dive on the Recent Widespread DNS Hijacking Hank Nussbacher (Feb 24)
    - Re: A Deep Dive on the Recent Widespread DNS Hijacking Ask Bjørn Hansen (Feb 25)
    - Re: A Deep Dive on the Recent Widespread DNS Hijacking Hank Nussbacher (Feb 25)
    - Re: A Deep Dive on the Recent Widespread DNS Hijacking Bill Woodcock (Feb 26)
    - Re: A Deep Dive on the Recent Widespread DNS Hijacking Sander Steffann (Feb 26)
    - Re: A Deep Dive on the Recent Widespread DNS Hijacking Michael Hallgren (Feb 26)
    - Re: A Deep Dive on the Recent Widespread DNS Hijacking Bjørn Mork (Feb 26)
    - Re: A Deep Dive on the Recent Widespread DNS Hijacking Ca By (Feb 26)
    - Re: A Deep Dive on the Recent Widespread DNS Hijacking David Conrad (Feb 26)
    - Re: A Deep Dive on the Recent Widespread DNS Hijacking Ca By (Feb 26)
    - Re: A Deep Dive on the Recent Widespread DNS Hijacking John Levine (Feb 26)
    - Re: A Deep Dive on the Recent Widespread DNS Hijacking Bill Woodcock (Feb 26)
    - Message not available
    - Re: A Deep Dive on the Recent Widespread DNS Hijacking Bill Woodcock (Feb 26)
    - Re: A Deep Dive on the Recent Widespread DNS Hijacking John Levine (Feb 26)

(Thread continues...)