A Deep Dive on the Recent Widespread DNS Hijacking

Måns Nilsson mansaxel at besserwisser.org
Mon Feb 25 08:07:01 UTC 2019

Subject: Re: A Deep Dive on the Recent Widespread DNS Hijacking Date: Mon, Feb 25, 2019 at 05:04:39PM +1100 Quoting Mark Andrews (marka at isc.org):
> I would also note that a organisation can deploy RFC 5011 for their own
> zones and have their own equipment use DNSKEYs managed
> using RFC 5011 for their own zones.  This isolates the organisation’s
> equipment from the parent zone’s management practices.
> I would also note that you can configure validating resolvers to expect
> secure responses for parts of the namespace and to reject
> insecure responses even when they validate as insecure.
One thing that immediately struck me upon reading the Krebs post was
that people got owned by having to downgrade the end-to-end model of
the Internet into Proxy-land. A hotel wifi. Probably only challenged by
"Free Wifi" in other spaces in its ability to demolish the Internet as
thought out and envisioned.
We can conclude in two different directions here; 

* We need to work on making the Internet more transparent to applications,
  and thus increasing security.

* We're all doomed anyway. DNSSEC is useless. 

Pick whichever you like. Our children will judge us. 
Måns Nilsson     primary/secondary/besserwisser/machina
MN-1334-RIPE           SA0XLR            +46 705 989668
My EARS are GONE!!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20190225/13ebac5d/attachment.sig>

More information about the NANOG mailing list