nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: A Deep Dive on the Recent Widespread DNS Hijacking

From: Töma Gavrichenkov <ximaera () gmail com>
Date: Mon, 25 Feb 2019 13:42:59 +0900
On Mon, Feb 25, 2019, 1:30 PM John Levine <johnl () iecc com> wrote:


You are right, if you can compromise a registrar that permits DNSSEC to

be disabled (without notification/confirmation to POCs

etc), then you only have a limited period (max of DS TTL) of protection

for those resolvers that have already cached the DS.

As far as I can tell, that's roughly all of them.  If you have the
credentials to log in and change the NS, you can change or remove the
DS, too.



And, that wouldn't change in the nearest future, because the concept of
"hostile pinning" as it was present with HTTPS Public Key Pinning could
also be ported to DNSSEC this way.

"Hostile signing"... doesn't that sound scary.

--
Töma
Previous By Date Next
Previous By Thread Next

Current thread: