Re: [dane] domain hijacking
Alice Wonder <alice@domblogger.net> Thu, 13 April 2017 05:02 UTC
Return-Path: <alice@domblogger.net>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B33C11293E4 for <dane@ietfa.amsl.com>; Wed, 12 Apr 2017 22:02:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.103
X-Spam-Level:
X-Spam-Status: No, score=-0.103 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=domblogger.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1v89UtOKu86y for <dane@ietfa.amsl.com>; Wed, 12 Apr 2017 22:02:19 -0700 (PDT)
Received: from mail.domblogger.net (mail.domblogger.net [104.200.18.67]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BBD93128B90 for <dane@ietf.org>; Wed, 12 Apr 2017 22:02:19 -0700 (PDT)
Received: from localhost.localdomain (68-189-44-253.dhcp.rdng.ca.charter.com [68.189.44.253]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.domblogger.net (Postfix) with ESMTPSA id 8445B601 for <dane@ietf.org>; Thu, 13 Apr 2017 05:02:18 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=domblogger.net; s=default; t=1492059738; bh=2Kz4rrDsQgEGlA6YR5hDG4g0+0k6ODZj4r/Y0FlTaZM=; h=Subject:To:References:From:Date:In-Reply-To; b=qF19EJrI+U33+YA+0rrzwnb4j/fR7cEjsgknrg2hXroedfD2L/vLePZGE9de+KIWr VPbXroRyP0mbzY+WlusX5YTnstdzYme2FKGPtJHSB+IJihbrArFr062YC75CDrk43T 1r7c0yxyU3a9lney7+lkvN9UHa6YmLo1QM840oGE=
To: dane@ietf.org
References: <20170413031124.79969.qmail@ary.lan>
From: Alice Wonder <alice@domblogger.net>
Message-ID: <5e781877-0c0c-5d11-2c64-3e66c0fd6f21@domblogger.net>
Date: Wed, 12 Apr 2017 22:02:17 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <20170413031124.79969.qmail@ary.lan>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dane/dBaivB8JPA3r2jykG-h5iH6nIlI>
Subject: Re: [dane] domain hijacking
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Apr 2017 05:02:26 -0000
On 04/12/2017 08:11 PM, John Levine wrote: >> If my suspicion is correct, has there >> been thought of re-signing the DS record signed with the older private key >> in a way that proves ownership through the key change? > > This sounds to me like shutting the barn door after the horse is gone. > > If it's important to you that your domain isn't hijacked, we all know > what to do, pick a registrar with good security and 2FA and so forth, > and monitor your own DNS with alarms if there are unauthorized changes. > > Also, if we were to invent some sort of change signing, now you have > the other problem where the guy with the private key quits and takes > it with him, and you have to rebootstrap the zone somehow. > > R's, > John I wonder if the future DANE equivalent of EV type validation is DS records at a well known location at the root of the domain (e.g. /ds.signed) signed by a trusted third party that clients can use to validate what is in their TLD. The only commercial CA issued certificates I personally have any confidence in as an end user are EV and that would give even more confidence. Use DANE to secure to public x.509 and when more confidence than DANE is needed, expensive commercial CA to secure the DS records. Cheap commercial CA wouldn't be needed because DANE already provides far more than domain validation certs can, only DS record certs that involve human validation would make sense, for things like banking or commerce or major social network. To work with more than HTTPS third party DS records could be sent with a future version of TLS or some kind of blockchain technology.
- [dane] domain hijacking Wei Chuang
- Re: [dane] domain hijacking Frederico A C Neves
- Re: [dane] domain hijacking Alice Wonder
- Re: [dane] domain hijacking Ken O'Driscoll
- Re: [dane] domain hijacking Ken O'Driscoll
- Re: [dane] domain hijacking John R Levine
- Re: [dane] domain hijacking Wei Chuang
- Re: [dane] domain hijacking Hugo Salgado-Hernández
- Re: [dane] domain hijacking Alice Wonder
- Re: [dane] domain hijacking Ken O'Driscoll
- Re: [dane] domain hijacking Alice Wonder
- Re: [dane] domain hijacking Alice Wonder
- Re: [dane] domain hijacking Alice Wonder
- Re: [dane] domain hijacking John Levine