A Deep Dive on the Recent Widespread DNS Hijacking

Bill Woodcock woody at pch.net
Fri Mar 1 06:54:57 UTC 2019



> On Feb 24, 2019, at 9:20 PM, Bill Woodcock <woody at pch.net> wrote:
> 
> 
> 
>> On Feb 24, 2019, at 7:41 PM, Montgomery, Douglas (Fed) <dougm at nist.gov> wrote:
>> In the 3rd attack noted below, do we know if the CA that issued the DV CERTS does DNSSEC validation on its DNS challenge queries?
> 
> We know that neither Comodo nor Let's Encrypt were DNSSEC validating before issuing certs.  The Let’s Encrypt guys at least seemed interested in learning from their mistake.  Can’t say as much of Comodo.

Sorry, a correction:

Apparently Let’s Encrypt _does_ do a DNSSEC validation check, and presumably that’s why a Comodo cert was used to attack us.  It was my prior understanding that Let’s Encrypt certs had been used against DNSSEC-signed zones, but apparently that was not the case.

My apologies for my confusion.  Nonetheless, even with the DNSSEC validation, there’s a problem here that needs to be solved, on both the parts of the CAs involved and the registry/registrar chain.

                                -Bill

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20190228/5be60d55/attachment.sig>


More information about the NANOG mailing list