nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: A Deep Dive on the Recent Widespread DNS Hijacking

From: Bill Woodcock <woody () pch net>
Date: Thu, 28 Feb 2019 22:54:57 -0800



On Feb 24, 2019, at 9:20 PM, Bill Woodcock <woody () pch net> wrote:




On Feb 24, 2019, at 7:41 PM, Montgomery, Douglas (Fed) <dougm () nist gov> wrote:
In the 3rd attack noted below, do we know if the CA that issued the DV CERTS does DNSSEC validation on its DNS 
challenge queries?


We know that neither Comodo nor Let's Encrypt were DNSSEC validating before issuing certs.  The Let’s Encrypt guys at 
least seemed interested in learning from their mistake.  Can’t say as much of Comodo.


Sorry, a correction:

Apparently Let’s Encrypt _does_ do a DNSSEC validation check, and presumably that’s why a Comodo cert was used to 
attack us.  It was my prior understanding that Let’s Encrypt certs had been used against DNSSEC-signed zones, but 
apparently that was not the case.

My apologies for my confusion.  Nonetheless, even with the DNSSEC validation, there’s a problem here that needs to be 
solved, on both the parts of the CAs involved and the registry/registrar chain.

                                -Bill

Attachment: signature.asc
Description: Message signed with OpenPGP

Previous By Date Next
Previous By Thread Next

Current thread: