Re: [dane] domain hijacking

"John Levine" <johnl@taugh.com> Thu, 13 April 2017 03:11 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC9AC128DF3 for <dane@ietfa.amsl.com>; Wed, 12 Apr 2017 20:11:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gGopE0Wwx9fA for <dane@ietfa.amsl.com>; Wed, 12 Apr 2017 20:11:47 -0700 (PDT)
Received: from miucha.iecc.com (abusenet-1-pt.tunnel.tserv4.nyc4.ipv6.he.net [IPv6:2001:470:1f06:1126::2]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 63A53126BF6 for <dane@ietf.org>; Wed, 12 Apr 2017 20:11:47 -0700 (PDT)
Received: (qmail 60597 invoked from network); 13 Apr 2017 03:11:46 -0000
Received: from unknown (64.57.183.18) by mail1.iecc.com with QMQP; 13 Apr 2017 03:11:46 -0000
Date: 13 Apr 2017 03:11:24 -0000
Message-ID: <20170413031124.79969.qmail@ary.lan>
From: "John Levine" <johnl@taugh.com>
To: dane@ietf.org
In-Reply-To: <CAAFsWK35neS7t_ZXHiTgSuc4wU4dWzEdAxFCzK+k11drvcOOkA@mail.gmail.com>
Organization:
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset=utf-8
Content-transfer-encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dane/sKn-cXw-j_4PNJ3FSvV_bFngTFQ>
Subject: Re: [dane] domain hijacking
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Apr 2017 03:11:52 -0000

> If my suspicion is correct, has there
>been thought of re-signing the DS record signed with the older private key
>in a way that proves ownership through the key change?

This sounds to me like shutting the barn door after the horse is gone.

If it's important to you that your domain isn't hijacked, we all know
what to do, pick a registrar with good security and 2FA and so forth,
and monitor your own DNS with alarms if there are unauthorized changes.

Also, if we were to invent some sort of change signing, now you have
the other problem where the guy with the private key quits and takes
it with him, and you have to rebootstrap the zone somehow.

R's,
John