Re: [dane] domain hijacking
Hugo Salgado-Hernández <hsalgado@nic.cl> Thu, 13 April 2017 13:15 UTC
Return-Path: <hsalgado@nic.cl>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 158CD129465 for <dane@ietfa.amsl.com>; Thu, 13 Apr 2017 06:15:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.903
X-Spam-Level:
X-Spam-Status: No, score=-1.903 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tPBhOu_d88e4 for <dane@ietfa.amsl.com>; Thu, 13 Apr 2017 06:15:42 -0700 (PDT)
Received: from mail.nic.cl (mail.nic.cl [IPv6:2001:1398:1::6008]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 08E34129473 for <dane@ietf.org>; Thu, 13 Apr 2017 06:15:33 -0700 (PDT)
Received: from mail.nic.cl (localhost [127.0.0.1]) by mail.nic.cl (Postfix) with ESMTP id 82A148003CF for <dane@ietf.org>; Thu, 13 Apr 2017 10:15:31 -0300 (CLST)
Received: from vulcano.intra.nic.cl (unknown [IPv6:2001:1398:4:6:a986:59d3:cbbf:59e5]) (using TLSv1.2 with cipher AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.nic.cl (Postfix) with ESMTPS id 75E978002A6 for <dane@ietf.org>; Thu, 13 Apr 2017 10:15:31 -0300 (CLST)
Date: Thu, 13 Apr 2017 10:15:29 -0300
From: Hugo Salgado-Hernández <hsalgado@nic.cl>
To: dane@ietf.org
Message-ID: <20170413131529.GA2423@vulcano.intra.nic.cl>
References: <CAAFsWK35neS7t_ZXHiTgSuc4wU4dWzEdAxFCzK+k11drvcOOkA@mail.gmail.com> <20170413031124.79969.qmail@ary.lan>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="oyUTqETQ0mS9luUI"
Content-Disposition: inline
In-Reply-To: <20170413031124.79969.qmail@ary.lan>
User-Agent: Mutt/1.8.0 (2017-02-23)
X-Virus-Scanned: ClamAV using ClamSMTP on Thu Apr 13 10:15:31 2017 -0300 (CLST)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dane/_5qvg51EVrrr6hcrnsYLI1ggGGU>
Subject: Re: [dane] domain hijacking
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Apr 2017 13:15:44 -0000
On 03:11 13/04, John Levine wrote: > > If my suspicion is correct, has there > >been thought of re-signing the DS record signed with the older private key > >in a way that proves ownership through the key change? > > This sounds to me like shutting the barn door after the horse is gone. > > If it's important to you that your domain isn't hijacked, we all know > what to do, pick a registrar with good security and 2FA and so forth, > and monitor your own DNS with alarms if there are unauthorized changes. > > Also, if we were to invent some sort of change signing, now you have > the other problem where the guy with the private key quits and takes > it with him, and you have to rebootstrap the zone somehow. Agree. But anyway, we have two indicators of something is wrong, from DNSSEC perspective. Even the hijacker deletes the DS and the zone goes insecure, or change it for a new one and the zone goes bogus for some hours, just like a bad made rollover. Maybe the bank could indicate somehow that it's zone should never go insecure/bogus, just like a website owner can signal with HSTS that it'll never go plain. Hugo
- [dane] domain hijacking Wei Chuang
- Re: [dane] domain hijacking Frederico A C Neves
- Re: [dane] domain hijacking Alice Wonder
- Re: [dane] domain hijacking Ken O'Driscoll
- Re: [dane] domain hijacking Ken O'Driscoll
- Re: [dane] domain hijacking John R Levine
- Re: [dane] domain hijacking Wei Chuang
- Re: [dane] domain hijacking Hugo Salgado-Hernández
- Re: [dane] domain hijacking Alice Wonder
- Re: [dane] domain hijacking Ken O'Driscoll
- Re: [dane] domain hijacking Alice Wonder
- Re: [dane] domain hijacking Alice Wonder
- Re: [dane] domain hijacking Alice Wonder
- Re: [dane] domain hijacking John Levine