This is a coordinated hacking. (Was Re: Need help in flushing DNS)

• Previous message (by thread): Fwd: Re: This is a coordinated hacking. (Was Re: Need help in flushing DNS)
• Next message (by thread): This is a coordinated hacking. (Was Re: Need help in flushing DNS)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Jun 20, 2013 at 8:41 PM, Timothy Morizot <tmorizot at gmail.com> wrote:

> On Jun 20, 2013 5:31 PM, "Randy Bush" <randy at psg.com> wrote:
> > and dnssec did not save us.  is there anything which could have?
>
> Hmmm. DNSSEC wouldn't have prevented an outage. But from everything I've
> seen reported, had the zones been signed, validating recursive resolvers
> (comcast, google, much of federal government, mine) would have returned
> servfail and would not have cached the bad nameservers in their good cache.
>
> Users would have simply failed to connect instead of being sent to the
> wrong page and recovery would have been quicker and easier. From my
> perspective as someone responsible for DNS at a fairly large enterprise,
> that would have been preferable.
>
> But then, the zones for which I'm responsible are signed.
>

In this case of registrar compromise, DS record could have been changed
alongside NS records, so DNSSEC would only have been a early warning,
because uncoordinated DS change disrupts service. As soon as previous
timeouts played out, new DS/NS pairs would be considered as trustworthy as
the old ones.


Rubens

• Previous message (by thread): Fwd: Re: This is a coordinated hacking. (Was Re: Need help in flushing DNS)
• Next message (by thread): This is a coordinated hacking. (Was Re: Need help in flushing DNS)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]