nanog mailing list archives
Re: A Deep Dive on the Recent Widespread DNS Hijacking
From: Töma Gavrichenkov <ximaera () gmail com>
Date: Mon, 25 Feb 2019 13:42:59 +0900
On Mon, Feb 25, 2019, 1:30 PM John Levine <johnl () iecc com> wrote:
You are right, if you can compromise a registrar that permits DNSSEC tobe disabled (without notification/confirmation to POCsetc), then you only have a limited period (max of DS TTL) of protectionfor those resolvers that have already cached the DS. As far as I can tell, that's roughly all of them. If you have the credentials to log in and change the NS, you can change or remove the DS, too.
And, that wouldn't change in the nearest future, because the concept of "hostile pinning" as it was present with HTTPS Public Key Pinning could also be ported to DNSSEC this way. "Hostile signing"... doesn't that sound scary. -- Töma
Current thread:
- RE: A Deep Dive on the Recent Widespread DNS Hijacking Montgomery, Douglas (Fed) via NANOG (Feb 24)
- RE: A Deep Dive on the Recent Widespread DNS Hijacking Keith Medcalf (Feb 24)
- Re: A Deep Dive on the Recent Widespread DNS Hijacking Montgomery, Douglas (Fed) (Feb 24)
- Re: A Deep Dive on the Recent Widespread DNS Hijacking Ca By (Feb 24)
- Re: A Deep Dive on the Recent Widespread DNS Hijacking Mark Andrews (Feb 24)
- Re: A Deep Dive on the Recent Widespread DNS Hijacking John Levine (Feb 24)
- Re: A Deep Dive on the Recent Widespread DNS Hijacking Töma Gavrichenkov (Feb 24)
- Re: A Deep Dive on the Recent Widespread DNS Hijacking Paul Ebersman (Feb 25)
- Re: A Deep Dive on the Recent Widespread DNS Hijacking Paul Ebersman (Feb 25)
- Re: A Deep Dive on the Recent Widespread DNS Hijacking Sander Steffann (Feb 25)
- Re: A Deep Dive on the Recent Widespread DNS Hijacking Owen DeLong (Feb 25)
- Re: A Deep Dive on the Recent Widespread DNS Hijacking Eric Kuhnke (Feb 25)
- Re: A Deep Dive on the Recent Widespread DNS Hijacking Paul Ebersman (Feb 25)
- Re: A Deep Dive on the Recent Widespread DNS Hijacking valdis . kletnieks (Feb 25)
- Re: A Deep Dive on the Recent Widespread DNS Hijacking Paul Ebersman (Feb 25)
- Re: A Deep Dive on the Recent Widespread DNS Hijacking valdis . kletnieks (Feb 25)
- Re: A Deep Dive on the Recent Widespread DNS Hijacking Eric Kuhnke (Feb 25)
- Re: A Deep Dive on the Recent Widespread DNS Hijacking Montgomery, Douglas (Fed) (Feb 24)
- RE: A Deep Dive on the Recent Widespread DNS Hijacking Keith Medcalf (Feb 24)