A Deep Dive on the Recent Widespread DNS Hijacking

valdis.kletnieks at vt.edu valdis.kletnieks at vt.edu
Mon Feb 25 20:36:41 UTC 2019


On Mon, 25 Feb 2019 12:14:59 -0700, Paul Ebersman said:
> ekuhnke> One thing to consider with authentication for domain registrar
> ekuhnke> accounts:
>
> ekuhnke> DO NOT USE 2FA VIA SMS.
>
> Yup. This is a good example of what I'm advocating. Just saying "use
> 2FA" or "use DNSSEC" or "have a CAA" isn't sufficient detail to make
> informed decisions of risk/effort/reward tradeoffs. Simplistic
> suggestions without details or context isn't doing anyone any favors.
>
> That said, even SMS 2FA is better than no 2FA. Barely. Just like forcing
> lousy passwords is better than no password but still not a best
> practice.

Feel free to suggest a workable 2FA.  Personally, I use a Yubikey where I can.
Oath seems to be a reasonable approach for technically minded people, but I'm
not sure that it scales well to the people who own the long tail domains in the
40 million .coms.   I can get oathtool to behave the way I want, but I'm not
sure the owner of joes-bait-tackle-and-gunshop.com will be able to deal with
it.

Unless you get it down to the SMS "wait for a msg, type in the 6 digit number"
level, it's going to be a tough start...



More information about the NANOG mailing list