How much do I love the fact that there’s a national “cyber-emergency” of DNS hijacking targeting .GOV names, all of which use DNSSEC, as required by fedgov regs? How’d that work out?
-
-
Replying to @tqbf
DNSSEC actually makes this worse: hijack the domain at the registrar, change the ZSK, then sign some very high TTL records. Create new zone cuts for the common names, like www. and poison with high-TTL DS records, get them into the common caches, then throw away the DNSKEY.
5 replies 9 retweets 47 likes -
Won’t get you more than 24h which is the same as without dnssec. Some resolvers also go bottom up if there is a servfail to renew the path of trust for confirmation so this wouldn’t work
1 reply 0 retweets 1 like -
The difference is subtle but real ... when you poison with a signed delegation and throw away the key, there's no path to recovery before the TTL expires. Non-signed hi-jack delegations can be recovered < TTL when authorities/owners get control of the target NS delegates.
1 reply 0 retweets 0 likes -
In real-world practice: hosting providers and ISPs can often gain control of the delegates within hours, following abuse practices, and fix poisoned delegations. But DNSSEC locks them out, if the attacker is smart about it. That's all I mean! :)
1 reply 0 retweets 0 likes
Sorry for ignoring, I missed this ... and then just saw a HN thread which prompted me to go back.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.