A Deep Dive on the Recent Widespread DNS Hijacking

Bill Woodcock woody at pch.net
Tue Feb 26 19:46:32 UTC 2019

> On Feb 26, 2019, at 9:15 AM, Jacques Latour <Jacques.Latour at cira.ca> wrote:
> DNSSEC should of never been part of the domain registration process, it was because we didn’t have the CDS/CDNSKEY channel to automated the DS maintenance and bootstrap. But if you keep DNSSEC maintenance outside the registrar control then it can be effective tool (amongst other) in identifying hijacks.  Taking away he ability of the bad actors to disable DNSSEC via registrar control panel.
> This is what happens when you have all your eggs in one basket and you loose the keys to your kingdom.

Agreed.  There’s absolutely no reason for registrars to be involved with DS records of zones they’re not signing.  And, for the same reason, there’s no reason for them to be involved with NS records, either, after an initial bootstrap.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20190226/140a2c47/attachment.sig>

More information about the NANOG mailing list