How much do I love the fact that there’s a national “cyber-emergency” of DNS hijacking targeting .GOV names, all of which use DNSSEC, as required by fedgov regs? How’d that work out?
-
-
Related rant: registry locking is one of the stupidest things in all of internet security. Model is lock/unlock your domain on demand. But if attackers have the EPP credentials they can just keep trying changes until you happen to unlock!
-
Registry protection should mean authenticating the actual changes that you want to make out of band; not just 'the vault is open now'.
End of conversation
New conversation -
-
-
Won’t get you more than 24h which is the same as without dnssec. Some resolvers also go bottom up if there is a servfail to renew the path of trust for confirmation so this wouldn’t work
-
The difference is subtle but real ... when you poison with a signed delegation and throw away the key, there's no path to recovery before the TTL expires. Non-signed hi-jack delegations can be recovered < TTL when authorities/owners get control of the target NS delegates.
- 2 more replies
New conversation -
-
-
Hijack the domain at the registrar ? Explain
-
Find out the domain owner's password for their registrar's web portal, because people re-use passwords, and they show up in dumps. That's how modern domain hijacking happens. It's not very sophisticated.
- 3 more replies
New conversation -
-
-
How is this worse than the non-DNSSEC case of publishing malicious high-TTL A records for www. etc. and getting those into the common caches?
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
It’s like ATA security erase for sub domains
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.