How much do I love the fact that there’s a national “cyber-emergency” of DNS hijacking targeting .GOV names, all of which use DNSSEC, as required by fedgov regs? How’d that work out?
-
-
Replying to @tqbf
DNSSEC actually makes this worse: hijack the domain at the registrar, change the ZSK, then sign some very high TTL records. Create new zone cuts for the common names, like www. and poison with high-TTL DS records, get them into the common caches, then throw away the DNSKEY.
5 replies 9 retweets 47 likes -
Related rant: registry locking is one of the stupidest things in all of internet security. Model is lock/unlock your domain on demand. But if attackers have the EPP credentials they can just keep trying changes until you happen to unlock!
2 replies 1 retweet 9 likes
Registry protection should mean authenticating the actual changes that you want to make out of band; not just 'the vault is open now'.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.