A Deep Dive on the Recent Widespread DNS Hijacking

Ca By cb.list6 at gmail.com
Tue Feb 26 13:35:18 UTC 2019

On Tue, Feb 26, 2019 at 1:58 AM Bill Woodcock <woody at pch.net> wrote:

> > On Feb 24, 2019, at 10:03 PM, Hank Nussbacher <hank at efes.iucc.ac.il>
> wrote:
> > Did you have a CAA record defined and if not, why not?
> It’s something we’d been planning to do but, ironically, we’d been in the
> process of switching to Let’s Encrypt, and they were one of the two CAs
> whose process vulnerabilities the attackers were exploiting.  So, in this
> particular case, it wouldn’t have helped.
> I guess the combination of CAA with a very expensive, or very manual, CA,
> might be an improvement.  But it’s still a band-aid on a bankrupt system.
> We need to get switched over to DANE as quickly as possible, and stop
> wasting effort trying to keep the CA system alive with ever-hackier
> band-aids.
>                                 -Bill

DNS guy says the solution for insecure DNS is... wait for it.... more DNS

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20190226/eb834085/attachment.html>

More information about the NANOG mailing list