nanog mailing list archives
Re: A Deep Dive on the Recent Widespread DNS Hijacking
From: David Conrad <drc () virtualized org>
Date: Tue, 26 Feb 2019 15:25:17 +0100
On Feb 26, 2019, at 2:35 PM, Ca By <cb.list6 () gmail com> wrote:
On Tue, Feb 26, 2019 at 1:58 AM Bill Woodcock <woody () pch net <mailto:woody () pch net>> wrote:On Feb 24, 2019, at 10:03 PM, Hank Nussbacher <hank () efes iucc ac il <mailto:hank () efes iucc ac il>> wrote: Did you have a CAA record defined and if not, why not?It’s something we’d been planning to do but, ironically, we’d been in the process of switching to Let’s Encrypt, and they were one of the two CAs whose process vulnerabilities the attackers were exploiting. So, in this particular case, it wouldn’t have helped. I guess the combination of CAA with a very expensive, or very manual, CA, might be an improvement. But it’s still a band-aid on a bankrupt system. We need to get switched over to DANE as quickly as possible, and stop wasting effort trying to keep the CA system alive with ever-hackier band-aids. -Bill DNS guy says the solution for insecure DNS is... wait for it.... more DNS ...
Well, no. "DNS guy” (Bill’s a bit more than that, of course) says the solution for a fundamentally broken trust model is a different system to derive trust. Or do you think Let’s Encrypt/Comodo increase trust? Regards, -drc
Attachment:
signature.asc
Description: Message signed with OpenPGP
Current thread:
- Re: A Deep Dive on the Recent Widespread DNS Hijacking, (continued)
- Re: A Deep Dive on the Recent Widespread DNS Hijacking Ross Tajvar (Feb 25)
- Re: A Deep Dive on the Recent Widespread DNS Hijacking Bill Woodcock (Feb 24)
- Re: A Deep Dive on the Recent Widespread DNS Hijacking Hank Nussbacher (Feb 24)
- Re: A Deep Dive on the Recent Widespread DNS Hijacking Ask Bjørn Hansen (Feb 25)
- Re: A Deep Dive on the Recent Widespread DNS Hijacking Hank Nussbacher (Feb 25)
- Re: A Deep Dive on the Recent Widespread DNS Hijacking Bill Woodcock (Feb 26)
- Re: A Deep Dive on the Recent Widespread DNS Hijacking Sander Steffann (Feb 26)
- Re: A Deep Dive on the Recent Widespread DNS Hijacking Michael Hallgren (Feb 26)
- Re: A Deep Dive on the Recent Widespread DNS Hijacking Bjørn Mork (Feb 26)
- Re: A Deep Dive on the Recent Widespread DNS Hijacking Ca By (Feb 26)
- Re: A Deep Dive on the Recent Widespread DNS Hijacking David Conrad (Feb 26)
- Re: A Deep Dive on the Recent Widespread DNS Hijacking Ca By (Feb 26)
- Re: A Deep Dive on the Recent Widespread DNS Hijacking John Levine (Feb 26)
- Re: A Deep Dive on the Recent Widespread DNS Hijacking Bill Woodcock (Feb 26)
- Message not available
- Re: A Deep Dive on the Recent Widespread DNS Hijacking Bill Woodcock (Feb 26)
- Re: A Deep Dive on the Recent Widespread DNS Hijacking John Levine (Feb 26)
- Re: A Deep Dive on the Recent Widespread DNS Hijacking bzs (Feb 26)
- Re: A Deep Dive on the Recent Widespread DNS Hijacking Bill Woodcock (Feb 26)
- Re: DANE, was A Deep Dive on the Recent Widespread DNS Hijacking John Levine (Feb 26)
- Re: DANE, was A Deep Dive on the Recent Widespread DNS Hijacking Julien Goodwin (Feb 26)
- Re: DANE, was A Deep Dive on the Recent Widespread DNS Hijacking Mike via NANOG (Feb 27)