A Deep Dive on the Recent Widespread DNS Hijacking

• Previous message (by thread): A Deep Dive on the Recent Widespread DNS Hijacking
• Next message (by thread): A Deep Dive on the Recent Widespread DNS Hijacking
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In article <B7DF0851-C5A3-4366-8ADF-501D1418F9E1 at nist.gov> you write:
>You are right, if you can compromise a registrar that permits DNSSEC to be disabled (without notification/confirmation to POCs
>etc), then you only have a limited period (max of DS TTL) of protection for those resolvers that have already cached the DS.

As far as I can tell, that's roughly all of them.  If you have the
credentials to log in and change the NS, you can change or remove the
DS, too.

As someone else noted, the only reason DNSSEC made any difference was
that the script kiddies sometimes forgot to turn it off or install
their own DS.  If you are actually interested in preventing this
stuff, 2FA will be orders of magnitude more effective than messing
with DNSSEC.

There are certainly threats that DNSSEC addresses, but getting your
registrar account pwned isn't one of them.

R's,
John

• Previous message (by thread): A Deep Dive on the Recent Widespread DNS Hijacking
• Next message (by thread): A Deep Dive on the Recent Widespread DNS Hijacking
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]