How much do I love the fact that there’s a national “cyber-emergency” of DNS hijacking targeting .GOV names, all of which use DNSSEC, as required by fedgov regs? How’d that work out?
The difference is subtle but real ... when you poison with a signed delegation and throw away the key, there's no path to recovery before the TTL expires. Non-signed hi-jack delegations can be recovered < TTL when authorities/owners get control of the target NS delegates.
-
-
In real-world practice: hosting providers and ISPs can often gain control of the delegates within hours, following abuse practices, and fix poisoned delegations. But DNSSEC locks them out, if the attacker is smart about it. That's all I mean! :)
-
Sorry for ignoring, I missed this ... and then just saw a HN thread which prompted me to go back.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.