Re: A Deep Dive on the Recent Widespread DNS Hijacking

[David Conrad <drc () virtualized org>]

On Feb 26, 2019, at 2:35 PM, Ca By <cb.list6 () gmail com> wrote:
> On Tue, Feb 26, 2019 at 1:58 AM Bill Woodcock <woody () pch net <mailto:woody () pch net>> wrote:
> > On Feb 24, 2019, at 10:03 PM, Hank Nussbacher <hank () efes iucc ac il <mailto:hank () efes iucc ac il>> wrote:
> > Did you have a CAA record defined and if not, why not?
>
> It’s something we’d been planning to do but, ironically, we’d been in the process of switching to Let’s Encrypt, and 
> they were one of the two CAs whose process vulnerabilities the attackers were exploiting.  So, in this particular 
> case, it wouldn’t have helped.
>
> I guess the combination of CAA with a very expensive, or very manual, CA, might be an improvement.  But it’s still a 
> band-aid on a bankrupt system.
>
> We need to get switched over to DANE as quickly as possible, and stop wasting effort trying to keep the CA system 
> alive with ever-hackier band-aids.
>
>                                 -Bill
>
> DNS guy says the solution for insecure DNS is... wait for it.... more DNS ...

Well, no. "DNS guy” (Bill’s a bit more than that, of course) says the solution for a fundamentally broken trust model 
is a different system to derive trust.

Or do you think Let’s Encrypt/Comodo increase trust?

Regards,
-drc

Attachment: signature.asc
Description: Message signed with OpenPGP