This is a coordinated hacking. (Was Re: Need help in flushing DNS)

• Previous message (by thread): This is a coordinated hacking. (Was Re: Need help in flushing DNS)
• Next message (by thread): This is a coordinated hacking. (Was Re: Need help in flushing DNS)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Jun 20, 2013 7:30 PM, "Rubens Kuhl" <rubensk at gmail.com> wrote:
> In this case of registrar compromise, DS record could have been changed
> alongside NS records, so DNSSEC would only have been a early warning,
> because uncoordinated DS change disrupts service. As soon as previous
> timeouts played out, new DS/NS pairs would be considered as trustworthy as
> the old ones.

Since DS records typically have a ttl of 24 hours, that protection should
not be underestimated even in the case of registrar compromise.

However, everything released so far indicates this was a netsol error and
not a compromise. And it was an error corrected fairly quickly from what I
can tell. The impact was prolonged because the bad nameservers were cached
in resolvers across the Internet.

Of course, very few details have actually been released, so that
construction could be wrong. But even in the worst case DNSSEC would have
provided some mitigation for a time.

• Previous message (by thread): This is a coordinated hacking. (Was Re: Need help in flushing DNS)
• Next message (by thread): This is a coordinated hacking. (Was Re: Need help in flushing DNS)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]