nanog mailing list archives
Re: A Deep Dive on the Recent Widespread DNS Hijacking
From: James Renken via NANOG <nanog () nanog org>
Date: Tue, 26 Feb 2019 15:34:26 -0600
On Feb 25, 2019, at 1:16 PM, Hank Nussbacher <hank () efes iucc ac il> wrote:
Yes if an attacker pwned the DNS then game over no matter what. I go under the assumption that the attacker was not able to take over the DNS system but rather other things along the way, in which case CAA should be of some assistance.
I’m excited about a proposed CAA extension (https://tools.ietf.org/html/draft-ietf-acme-caa-06) that would allow domain owners to restrict issuance to a particular ACME account and a particular validation method. This could provide stronger protection against most attacks short of a registry or registrar hijack. It’s implemented in Let’s Encrypt's staging environment, and I hope it’s able to move forward. -- James Renken (pronouns: he/him) Internet Security Research Group Let's Encrypt: A Free, Automated, and Open CA
Current thread:
- Re: A Deep Dive on the Recent Widespread DNS Hijacking Nico Cartron (Mar 04)
- <Possible follow-ups>
- Re: A Deep Dive on the Recent Widespread DNS Hijacking James Renken via NANOG (Mar 04)
- Re: A Deep Dive on the Recent Widespread DNS Hijacking Bill Woodcock (Mar 04)
- Re: A Deep Dive on the Recent Widespread DNS Hijacking James Renken via NANOG (Mar 04)