nanog mailing list archives
RE: A Deep Dive on the Recent Widespread DNS Hijacking
From: Jacques Latour <Jacques.Latour () cira ca>
Date: Tue, 26 Feb 2019 17:15:54 +0000
DNSSEC should of never been part of the domain registration process, it was because we didn’t have the CDS/CDNSKEY channel to automated the DS maintenance and bootstrap. But if you keep DNSSEC maintenance outside the registrar control then it can be effective tool (amongst other) in identifying hijacks. Taking away he ability of the bad actors to disable DNSSEC via registrar control panel. This is what happens when you have all your eggs in one basket and you loose the keys to your kingdom. From: NANOG <nanog-bounces () nanog org> On Behalf Of Bill Woodcock Sent: February 26, 2019 4:57 AM To: Hank Nussbacher <hank () efes iucc ac il> Cc: nanog () nanog org Subject: Re: A Deep Dive on the Recent Widespread DNS Hijacking
On Feb 24, 2019, at 10:03 PM, Hank Nussbacher <hank () efes iucc ac il<mailto:hank () efes iucc ac il>> wrote: Did you have a CAA record defined and if not, why not?
It’s something we’d been planning to do but, ironically, we’d been in the process of switching to Let’s Encrypt, and they were one of the two CAs whose process vulnerabilities the attackers were exploiting. So, in this particular case, it wouldn’t have helped. I guess the combination of CAA with a very expensive, or very manual, CA, might be an improvement. But it’s still a band-aid on a bankrupt system. We need to get switched over to DANE as quickly as possible, and stop wasting effort trying to keep the CA system alive with ever-hackier band-aids. -Bill
Current thread:
- Re: a detour DANE, was A Deep Dive on the Recent Widespread DNS Hijacking, (continued)
- Re: a detour DANE, was A Deep Dive on the Recent Widespread DNS Hijacking John R. Levine (Feb 27)
- Re: a detour DANE, was A Deep Dive on the Recent Widespread DNS Hijacking Mark Andrews (Feb 27)
- Re: a detour DANE, was A Deep Dive on the Recent Widespread DNS Hijacking bzs (Feb 27)
- Re: a detour DANE, was A Deep Dive on the Recent Widespread DNS Hijacking Seth Mattinen (Feb 27)
- Re: a detour DANE, was A Deep Dive on the Recent Widespread DNS Hijacking Mike Meredith (Feb 28)
- Re: a detour DANE, was A Deep Dive on the Recent Widespread DNS Hijacking Måns Nilsson (Feb 28)
- Re: a detour DANE, was A Deep Dive on the Recent Widespread DNS Hijacking Bjørn Mork (Feb 28)
- Re: a detour DANE, was A Deep Dive on the Recent Widespread DNS Hijacking Mike Meredith (Feb 28)
- Re: a detour DANE, was A Deep Dive on the Recent Widespread DNS Hijacking Måns Nilsson (Feb 28)
- Re: DANE, was A Deep Dive on the Recent Widespread DNS Hijacking Töma Gavrichenkov (Feb 27)
- RE: A Deep Dive on the Recent Widespread DNS Hijacking Jacques Latour (Feb 26)
- Re: A Deep Dive on the Recent Widespread DNS Hijacking Bill Woodcock (Feb 26)
- Re: A Deep Dive on the Recent Widespread DNS Hijacking Mark Andrews (Feb 26)
- Re: A Deep Dive on the Recent Widespread DNS Hijacking Bill Woodcock (Feb 28)
- Re: A Deep Dive on the Recent Widespread DNS Hijacking Mark Andrews (Feb 24)
- Re: A Deep Dive on the Recent Widespread DNS Hijacking Måns Nilsson (Feb 25)
- Re: A Deep Dive on the Recent Widespread DNS Hijacking Tony Finch (Feb 25)
- Re: A Deep Dive on the Recent Widespread DNS Hijacking Carl Byington via NANOG (Feb 26)