A Deep Dive on the Recent Widespread DNS Hijacking

Paul Ebersman list-nanog2 at dragon.net
Mon Feb 25 17:18:44 UTC 2019

dougm> You are right, if you can compromise a registrar that permits
dougm> DNSSEC to be disabled (without notification/confirmation to POCs
dougm> etc), then you only have a limited period (max of DS TTL) of
dougm> protection for those resolvers that have already cached the DS.

johnl> As far as I can tell, that's roughly all of them.  If you have
johnl> the credentials to log in and change the NS, you can change or
johnl> remove the DS, too.

Yes, though with the 1 day TTL most registries put on DS records, you at
least have the chance to notice your DS has changed or been deleted and
attempt to recover your registry account.

That is somewhat a "locking the barn door" approach, and 2FA and other
account security is the best solution. However, we are in a world now
where every layer of security we can add is probably a good idea and
having a day to notice could be handy.

DNSSEC isn't useless but it solves one specific problem, end to end
data integrity. It also requires operational cleanliness and attention
to detail. We shouldn't make claims about what it can't do; we're much
better off getting everyone to understand what it does and doesn't
do. And underline what other security best practices they should be

If someone owns your registry account, you're screwed. And right now, it
tends to be the most neglected part of the entire zone ownership
world. Let's use this opportunity to help folks lock down their
accounts, not muddying the waters with dubious claims.

More information about the NANOG mailing list