Re: [dane] domain hijacking

Frederico A C Neves <> Wed, 12 April 2017 20:06 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 16EC712955F for <>; Wed, 12 Apr 2017 13:06:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.903
X-Spam-Status: No, score=-6.903 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id FMNkOrEtPfDP for <>; Wed, 12 Apr 2017 13:06:52 -0700 (PDT)
Received: from ( [IPv6:2001:12ff:0:2::4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A4B00126DED for <>; Wed, 12 Apr 2017 13:06:52 -0700 (PDT)
Received: by (Postfix, from userid 1000) id 296E93D53D; Wed, 12 Apr 2017 17:06:49 -0300 (BRT)
Date: Wed, 12 Apr 2017 17:06:49 -0300
From: Frederico A C Neves <>
Message-ID: <>
References: <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <>
Archived-At: <>
Subject: Re: [dane] domain hijacking
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS-based Authentication of Named Entities <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 12 Apr 2017 20:06:54 -0000


On Wed, Apr 12, 2017 at 08:52:44PM +0100, Ken O'Driscoll wrote:
> On Wed, 2017-04-12 at 11:50 -0700, Wei Chuang wrote:
> > Hi dane folks,
> > 
> > There recently was an article in Wired about how a banking site was
> > domain hijacked:
> >
> > ion/
> > via a DNS registry account hijacking.  I was wondering if DNSSEC can
> > protect against such hijackings (and thereby protect DANE records).
> [...snip...]
> Hi Wei,
> My first post to this list!
> My understanding of that incident is that the attackers compromised the .br registry and from there reassigned the nameservers, thus redirecting traffic to their rogue server.

No, please read the article and the corrections we've provided. The
domain contact account had their listed email account compromised, a
free email provider. With email access and no 2FA configured for this
account on our system the attacker did a password reset. With access
to the system did a regular delegation change.

> DANE or indeed DNSSEC isn't intended to prevent that type of attack, where the attacker has complete control of the domain name at a registry level, including the ability to change NS records and delete DS records. Essentially, in such cases the attacker follows the same procedure the legitimate registrant would follow to disable DNSSEC while changing nameservers.

Correct. If they had a DS the redelegation, done correctly, would be
only a little bit harder but totally doable.