Re: [dane] domain hijacking

Hugo Salgado-Hernández <> Thu, 13 April 2017 13:15 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 158CD129465 for <>; Thu, 13 Apr 2017 06:15:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.903
X-Spam-Status: No, score=-1.903 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id tPBhOu_d88e4 for <>; Thu, 13 Apr 2017 06:15:42 -0700 (PDT)
Received: from ( [IPv6:2001:1398:1::6008]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 08E34129473 for <>; Thu, 13 Apr 2017 06:15:33 -0700 (PDT)
Received: from (localhost []) by (Postfix) with ESMTP id 82A148003CF for <>; Thu, 13 Apr 2017 10:15:31 -0300 (CLST)
Received: from (unknown [IPv6:2001:1398:4:6:a986:59d3:cbbf:59e5]) (using TLSv1.2 with cipher AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 75E978002A6 for <>; Thu, 13 Apr 2017 10:15:31 -0300 (CLST)
Date: Thu, 13 Apr 2017 10:15:29 -0300
From: Hugo =?iso-8859-1?Q?Salgado-Hern=E1ndez?= <>
Message-ID: <>
References: <> <20170413031124.79969.qmail@ary.lan>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="oyUTqETQ0mS9luUI"
Content-Disposition: inline
In-Reply-To: <20170413031124.79969.qmail@ary.lan>
User-Agent: Mutt/1.8.0 (2017-02-23)
X-Virus-Scanned: ClamAV using ClamSMTP on Thu Apr 13 10:15:31 2017 -0300 (CLST)
Archived-At: <>
Subject: Re: [dane] domain hijacking
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS-based Authentication of Named Entities <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 13 Apr 2017 13:15:44 -0000

On 03:11 13/04, John Levine wrote:
> > If my suspicion is correct, has there
> >been thought of re-signing the DS record signed with the older private key
> >in a way that proves ownership through the key change?
> This sounds to me like shutting the barn door after the horse is gone.
> If it's important to you that your domain isn't hijacked, we all know
> what to do, pick a registrar with good security and 2FA and so forth,
> and monitor your own DNS with alarms if there are unauthorized changes.
> Also, if we were to invent some sort of change signing, now you have
> the other problem where the guy with the private key quits and takes
> it with him, and you have to rebootstrap the zone somehow.


But anyway, we have two indicators of something is wrong, from
DNSSEC perspective. Even the hijacker deletes the DS and the zone
goes insecure, or change it for a new one and the zone goes bogus
for some hours, just like a bad made rollover.

Maybe the bank could indicate somehow that it's zone should never
go insecure/bogus, just like a website owner can signal with HSTS
that it'll never go plain.