[dane] domain hijacking

Wei Chuang <weihaw@google.com> Wed, 12 April 2017 18:50 UTC

Return-Path: <weihaw@google.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C1D9E127A91 for <dane@ietfa.amsl.com>; Wed, 12 Apr 2017 11:50:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FIfPDQ5u0QIi for <dane@ietfa.amsl.com>; Wed, 12 Apr 2017 11:50:38 -0700 (PDT)
Received: from mail-vk0-x22d.google.com (mail-vk0-x22d.google.com [IPv6:2607:f8b0:400c:c05::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EA2C412EB39 for <dane@ietf.org>; Wed, 12 Apr 2017 11:50:37 -0700 (PDT)
Received: by mail-vk0-x22d.google.com with SMTP id j127so11893013vkh.0 for <dane@ietf.org>; Wed, 12 Apr 2017 11:50:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=VTzqVloyRzsgQk77UCW8E1H8R3GWrBQrMSRLuKSM4dg=; b=t6BWB8o5QGRShDnOCsJ7uGfpInv8NvsIjttXZL7Tk3n+aIbm/Ptlp7cmmekLZEXCFa EHSg5bN6hqtuyzzDmziayzUzlWeMSrnz3suEWtt5yyMJlBcSi3koKfIQSoKS6qb7ibvJ QYGWyTqHxcfhtyEveZuzhFOiWRGU/fAUePvwmuR9ROSt3Hrn8B45qjIFGBcZM+ZOcYPz lpMkvskMjm3woEA65W+JvJYYm4mrEcogfn13GjxguK+mQMIerd+13fEuwqYCkCdvClFm TBfXk5L0D1EAmD8ABFVMFoWCS101rZCbeP7pyT729n6492cflN6Gy+UFgjVG6TI6soHK aHxg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=VTzqVloyRzsgQk77UCW8E1H8R3GWrBQrMSRLuKSM4dg=; b=eNVVTo0pKYZeEaWF8znv7tP2E6d4A/s2ykRbuCb0v7EMb9BC+QWGqVC11WgN7NU844 hav5sLRPKtF549MGIiVAmRnp3RrzbcgiojdejvTidj5bub+gAirsG5IPwMmK/DnCF1wf quODXajfmPKpXHy6gWqP2r2tRVXXVudMMSUjcP3f+homoXqgsY6qzfUQDZ42U51+EKYJ pKuuO/1hxQ4T4mI78SVWZZ5Vj3Bp08NiWKA1qUEMx9CdTJIepMpNVkdulHyroCsWvs7l XJDLafXV6fVT1fbbYB0Ro7YJ3+DUJk3kRjPxn+h4c6jWdDBn2TlI8/NRMYhML8ONmFQ0 5DfQ==
X-Gm-Message-State: AN3rC/6l1vKU8d0p5SrBADJLxRgj+TXwK45N9OLCq48Ixo+ii0xRVII1K9q00uoUATZbD/OOx7OFzsCI5vd+Ylgj
X-Received: by 10.31.129.85 with SMTP id c82mr810133vkd.163.1492023036636; Wed, 12 Apr 2017 11:50:36 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.176.0.22 with HTTP; Wed, 12 Apr 2017 11:50:36 -0700 (PDT)
From: Wei Chuang <weihaw@google.com>
Date: Wed, 12 Apr 2017 11:50:36 -0700
Message-ID: <CAAFsWK35neS7t_ZXHiTgSuc4wU4dWzEdAxFCzK+k11drvcOOkA@mail.gmail.com>
To: IETF DANE Mailinglist <dane@ietf.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="001a11459a401e7f81054cfcaf72"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dane/CJW1BDr9MlDjSSlzjAs3p6OVz9Y>
Subject: [dane] domain hijacking
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Apr 2017 18:50:40 -0000

Hi dane folks,

There recently was an article in Wired about how a banking site was domain
hijacked:
https://www.wired.com/2017/04/hackers-hijacked-banks-entire-online-operation/
via a DNS registry account hijacking.  I was wondering if DNSSEC can
protect against such hijackings (and thereby protect DANE records).  My
suspicion is no, DNSSEC can't protect against an attack at the registry
level since a hijacker could publish a new set of consistent records for
the zone including at the parent.  If my suspicion is correct, has there
been thought of re-signing the DS record signed with the older private key
in a way that proves ownership through the key change?  This gets published
at the parent so its visible even if the entire zone gets spoofed.  This,
put another way, would prove publicly continuity of ownership for the
domain.

thanks,
-Wei