On 10 Oct 2013, at 16:43, Dan York <[email protected]> wrote: > there's nothing that DNSSEC or anything else could have done here
Perhaps that's the case for the incidents you described Dan. However DNSSEC could help provide some form of two-stage authentication for these sorts of requests. Says he hand-waving... Some sort of token which identifies the EPP transaction could be given a name and entered into the zone that's getting redelegated or whatever. That RR would need to be signed. [For bonus points, the RDATA of that RR could be that token encrypted with the private KSK or ZSK.] The registry checks this RR before acting on the EPP request, rejects it if something is wrong and raises an alarm. This would mean an impostor would have to do more than just compromise some registrar's control panel or send a fake fax. They would need to get access to the zone and its keys. Which in an ideal world would be isolated from the boxes a registrar uses to speak to the Internet or to the registry. _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
