nanog mailing list archives
Re: A Deep Dive on the Recent Widespread DNS Hijacking
From: Bill Woodcock <woody () pch net>
Date: Thu, 28 Feb 2019 22:54:57 -0800
On Feb 24, 2019, at 9:20 PM, Bill Woodcock <woody () pch net> wrote:On Feb 24, 2019, at 7:41 PM, Montgomery, Douglas (Fed) <dougm () nist gov> wrote: In the 3rd attack noted below, do we know if the CA that issued the DV CERTS does DNSSEC validation on its DNS challenge queries?We know that neither Comodo nor Let's Encrypt were DNSSEC validating before issuing certs. The Let’s Encrypt guys at least seemed interested in learning from their mistake. Can’t say as much of Comodo.
Sorry, a correction: Apparently Let’s Encrypt _does_ do a DNSSEC validation check, and presumably that’s why a Comodo cert was used to attack us. It was my prior understanding that Let’s Encrypt certs had been used against DNSSEC-signed zones, but apparently that was not the case. My apologies for my confusion. Nonetheless, even with the DNSSEC validation, there’s a problem here that needs to be solved, on both the parts of the CAs involved and the registry/registrar chain. -Bill
Attachment:
signature.asc
Description: Message signed with OpenPGP
Current thread:
- Re: a detour DANE, was A Deep Dive on the Recent Widespread DNS Hijacking, (continued)
- Re: a detour DANE, was A Deep Dive on the Recent Widespread DNS Hijacking Seth Mattinen (Feb 27)
- Re: a detour DANE, was A Deep Dive on the Recent Widespread DNS Hijacking Mike Meredith (Feb 28)
- Re: a detour DANE, was A Deep Dive on the Recent Widespread DNS Hijacking Måns Nilsson (Feb 28)
- Re: a detour DANE, was A Deep Dive on the Recent Widespread DNS Hijacking Bjørn Mork (Feb 28)
- Re: a detour DANE, was A Deep Dive on the Recent Widespread DNS Hijacking Mike Meredith (Feb 28)
- Re: a detour DANE, was A Deep Dive on the Recent Widespread DNS Hijacking Måns Nilsson (Feb 28)
- Re: DANE, was A Deep Dive on the Recent Widespread DNS Hijacking Töma Gavrichenkov (Feb 27)
- RE: A Deep Dive on the Recent Widespread DNS Hijacking Jacques Latour (Feb 26)
- Re: A Deep Dive on the Recent Widespread DNS Hijacking Bill Woodcock (Feb 26)
- Re: A Deep Dive on the Recent Widespread DNS Hijacking Mark Andrews (Feb 26)
- Re: A Deep Dive on the Recent Widespread DNS Hijacking Bill Woodcock (Feb 28)
- Re: A Deep Dive on the Recent Widespread DNS Hijacking Mark Andrews (Feb 24)
- Re: A Deep Dive on the Recent Widespread DNS Hijacking Måns Nilsson (Feb 25)
- Re: A Deep Dive on the Recent Widespread DNS Hijacking Tony Finch (Feb 25)
- Re: A Deep Dive on the Recent Widespread DNS Hijacking Carl Byington via NANOG (Feb 26)