> From: Tony Finch <[email protected]> > > > But the errornous transfer of ebay.de would create a deasaster with DANE. > > > > In what way would DANE make the theft of a domain worse? > > In addition to vjs's points, note that DNSSEC makes theft of a domain even > more visible because it is likely to cause horrible breakage for > validating users.
I didn't mention those alarms, because I assumed the domain was stolen at the registrar or in the registry so that glue and DS records would be corrected by the adversary. I didn't recall the particular theft, but assumed it involved the common modes of seizure by the registrar or the use of stolen credentials at the registrar. Only if the theft is downstream of the registry such as in a master authoritative server for the domain would DNSSEC raise alarms. Those alarms are valuable, but I didn't want to argue nits with people who after much more than a decade and many public scandles, still haven't twigged to the unredeemable fraud that is commercial PKI. Never mind the irony in the likely fact that the use of stolen registrar credentials would be "protected (sic)" by commercial PKI. Vernon Schryver [email protected] _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
