A Deep Dive on the Recent Widespread DNS Hijacking
cb.list6 at gmail.com
Tue Feb 26 13:35:18 UTC 2019
On Tue, Feb 26, 2019 at 1:58 AM Bill Woodcock <woody at pch.net> wrote:
> > On Feb 24, 2019, at 10:03 PM, Hank Nussbacher <hank at efes.iucc.ac.il>
> > Did you have a CAA record defined and if not, why not?
> It’s something we’d been planning to do but, ironically, we’d been in the
> process of switching to Let’s Encrypt, and they were one of the two CAs
> whose process vulnerabilities the attackers were exploiting. So, in this
> particular case, it wouldn’t have helped.
> I guess the combination of CAA with a very expensive, or very manual, CA,
> might be an improvement. But it’s still a band-aid on a bankrupt system.
> We need to get switched over to DANE as quickly as possible, and stop
> wasting effort trying to keep the CA system alive with ever-hackier
DNS guy says the solution for insecure DNS is... wait for it.... more DNS
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the NANOG