A Deep Dive on the Recent Widespread DNS Hijacking

• Previous message (by thread): A Deep Dive on the Recent Widespread DNS Hijacking
• Next message (by thread): A Deep Dive on the Recent Widespread DNS Hijacking
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Feb 26, 2019 at 1:58 AM Bill Woodcock <woody at pch.net> wrote:

>
>
> > On Feb 24, 2019, at 10:03 PM, Hank Nussbacher <hank at efes.iucc.ac.il>
> wrote:
> > Did you have a CAA record defined and if not, why not?
>
> It’s something we’d been planning to do but, ironically, we’d been in the
> process of switching to Let’s Encrypt, and they were one of the two CAs
> whose process vulnerabilities the attackers were exploiting.  So, in this
> particular case, it wouldn’t have helped.
>
> I guess the combination of CAA with a very expensive, or very manual, CA,
> might be an improvement.  But it’s still a band-aid on a bankrupt system.
>
> We need to get switched over to DANE as quickly as possible, and stop
> wasting effort trying to keep the CA system alive with ever-hackier
> band-aids.
>
>                                 -Bill



DNS guy says the solution for insecure DNS is... wait for it.... more DNS
...



>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20190226/eb834085/attachment.html>

• Previous message (by thread): A Deep Dive on the Recent Widespread DNS Hijacking
• Next message (by thread): A Deep Dive on the Recent Widespread DNS Hijacking
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]