nanog mailing list archives

Re: Re: This is a coordinated hacking. (Was Re: Need help in flushing DNS)

From: Rubens Kuhl <rubensk () gmail com>
Date: Thu, 20 Jun 2013 21:29:06 -0300

On Thu, Jun 20, 2013 at 8:41 PM, Timothy Morizot <tmorizot () gmail com> wrote:

On Jun 20, 2013 5:31 PM, "Randy Bush" <randy () psg com> wrote:

and dnssec did not save us.  is there anything which could have?


Hmmm. DNSSEC wouldn't have prevented an outage. But from everything I've
seen reported, had the zones been signed, validating recursive resolvers
(comcast, google, much of federal government, mine) would have returned
servfail and would not have cached the bad nameservers in their good cache.

Users would have simply failed to connect instead of being sent to the
wrong page and recovery would have been quicker and easier. From my
perspective as someone responsible for DNS at a fairly large enterprise,
that would have been preferable.

But then, the zones for which I'm responsible are signed.


In this case of registrar compromise, DS record could have been changed
alongside NS records, so DNSSEC would only have been a early warning,
because uncoordinated DS change disrupts service. As soon as previous
timeouts played out, new DS/NS pairs would be considered as trustworthy as
the old ones.


Rubens

Current thread:

Re: This is a coordinated hacking. (Was Re: Need help in flushing DNS), (continued)
- - - Re: This is a coordinated hacking. (Was Re: Need help in flushing DNS) RijilV (Jun 20)
    - Re: This is a coordinated hacking. (Was Re: Need help in flushing DNS) Randy Bush (Jun 20)
    - Re: This is a coordinated hacking. (Was Re: Need help in flushing DNS) Bryan Irvine (Jun 20)
    - Re: This is a coordinated hacking. (Was Re: Need help in flushing DNS) Ryan - Lists (Jun 20)
    - Re: This is a coordinated hacking. (Was Re: Need help in flushing DNS) Richard Golodner (Jun 20)
    - Re: This is a coordinated hacking. (Was Re: Need help in flushing DNS) Randy Bush (Jun 20)
    - Re: This is a coordinated hacking. (Was Re: Need help in flushing DNS) George Herbert (Jun 20)
    - Re: This is a coordinated hacking. (Was Re: Need help in flushing DNS) Phil Fagan (Jun 20)
    - Re: This is a coordinated hacking. (Was Re: Need help in flushing DNS) Fred Reimer (Jun 20)
    - Message not available
    - Fwd: Re: This is a coordinated hacking. (Was Re: Need help in flushing DNS) Timothy Morizot (Jun 20)
    - Re: Re: This is a coordinated hacking. (Was Re: Need help in flushing DNS) Rubens Kuhl (Jun 20)
    - Re: Re: This is a coordinated hacking. (Was Re: Need help in flushing DNS) Timothy Morizot (Jun 20)
    - Re: This is a coordinated hacking. (Was Re: Need help in flushing DNS) Jimmy Hess (Jun 20)
    - Re: This is a coordinated hacking. (Was Re: Need help in flushing DNS) Hank Nussbacher (Jun 20)
    - Re: This is a coordinated hacking. (Was Re: Need help in flushing DNS) Hank Nussbacher (Jun 20)
    - RE: This is a coordinated hacking. (Was Re: Need help in flushing DNS) Kain, Rebecca (.) (Jun 21)
    - Re: This is a coordinated hacking. (Was Re: Need help in flushing DNS) Jimmy Hess (Jun 21)
    - Re: This is a coordinated hacking. (Was Re: Need help in flushing DNS) Barry Shein (Jun 21)
    - Re: This is a coordinated hacking. (Was Re: Need help in flushing DNS) jamie rishaw (Jun 22)
    - Re: This is a coordinated hacking. (Was Re: Need help in flushing DNS) Nicolai (Jun 21)
    - RE: This is a coordinated hacking. (Was Re: Need help in flushing DNS) Frank Bulk (Jun 21)

(Thread continues...)