A Deep Dive on the Recent Widespread DNS Hijacking

• Previous message (by thread): A Deep Dive on the Recent Widespread DNS Hijacking
• Next message (by thread): A Deep Dive on the Recent Widespread DNS Hijacking
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Feb 25, 2019, 1:30 PM John Levine <johnl at iecc.com> wrote:

> > You are right, if you can compromise a registrar that permits DNSSEC to
> be disabled (without notification/confirmation to POCs
> > etc), then you only have a limited period (max of DS TTL) of protection
> for those resolvers that have already cached the DS.
>
> As far as I can tell, that's roughly all of them.  If you have the
> credentials to log in and change the NS, you can change or remove the
> DS, too.
>

And, that wouldn't change in the nearest future, because the concept of
"hostile pinning" as it was present with HTTPS Public Key Pinning could
also be ported to DNSSEC this way.

"Hostile signing"... doesn't that sound scary.

--
Töma

>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20190225/ae6ea68a/attachment.html>

• Previous message (by thread): A Deep Dive on the Recent Widespread DNS Hijacking
• Next message (by thread): A Deep Dive on the Recent Widespread DNS Hijacking
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]