A Deep Dive on the Recent Widespread DNS Hijacking

Tue Feb 26 14:25:17 UTC 2019

On Feb 26, 2019, at 2:35 PM, Ca By <cb.list6 at gmail.com> wrote:
> On Tue, Feb 26, 2019 at 1:58 AM Bill Woodcock <woody at pch.net <mailto:woody at pch.net>> wrote:
> > On Feb 24, 2019, at 10:03 PM, Hank Nussbacher <hank at efes.iucc.ac.il <mailto:hank at efes.iucc.ac.il>> wrote:
> > Did you have a CAA record defined and if not, why not?
> 
> It’s something we’d been planning to do but, ironically, we’d been in the process of switching to Let’s Encrypt, and they were one of the two CAs whose process vulnerabilities the attackers were exploiting.  So, in this particular case, it wouldn’t have helped.
> 
> I guess the combination of CAA with a very expensive, or very manual, CA, might be an improvement.  But it’s still a band-aid on a bankrupt system.
> 
> We need to get switched over to DANE as quickly as possible, and stop wasting effort trying to keep the CA system alive with ever-hackier band-aids.
> 
>                                 -Bill
> 
> DNS guy says the solution for insecure DNS is... wait for it.... more DNS ...

Well, no. "DNS guy” (Bill’s a bit more than that, of course) says the solution for a fundamentally broken trust model is a different system to derive trust.

Or do you think Let’s Encrypt/Comodo increase trust?

Regards,
-drc

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20190226/5458cb4b/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20190226/5458cb4b/attachment.sig>