On Wed, Aug 13, 2014 at 3:38 AM, Stephane Bortzmeyer <bortzme...@nic.fr> wrote: > On Tue, Aug 12, 2014 at 06:59:37PM +0200, > Stephane Bortzmeyer <bortzme...@nic.fr> wrote > a message of 14 lines which said: > >> The author says "your domain name registrar can introduce an error to >> the root domain database and match your domain to an incorrect DNS >> servers (this actually happened earlier in history of some domain >> registrars)" but my human memory cannot find an actual documented >> case. Anyone can mention one or was it just speculation? > > One case mentioned by Tony which is not exactly that, but close: > > http://news.netcraft.com/archives/2005/01/18/lapse_at_melbourne_it_enabled_panixcom_hijacking.html > > One mentioned in ANSSI's guide on DNS: > > http://blogs.cisco.com/security/hijacking-of-dns-records-from-network-solutions/ > > [If you take Network Solutions' words literally...] > >> DNSSEC would have mitigated the problem if the domain had been >> properly managed, which was apparently not the case.
ObRef: SAC044 - A Registrant's Guide to Protecting Domain Name Registration Accounts [https://www.icann.org/en/groups/ssac/documents/sac-044-en.pdf] SAC040 - Measures to Protect Domain Registration Services Against Exploitation or Misuse [https://www.icann.org/en/groups/ssac/documents/sac-040-en.pdf (also available in multiple languages, links here: https://www.icann.org/resources/pages/documents-2012-02-25-en)] SAC028 - Registrar Impersonation Phishing Attacks [https://www.icann.org/en/groups/ssac/documents/sac-028-en.pdf] SAC007 - Domain Name Hijacking Report (SAC007) (12 July 2005) [https://www.icann.org/announcements/hijacking-report-12jul05.pdf] SAC049 - DNS Zone Risk Assessment and Management (03 June 2011) [https://www.icann.org/en/groups/ssac/documents/sac-049-en.pdf] Unfortunately many registrants are not adequately protecting their domains, especially the registrar credentials. The suggestions in the above documents[0] don't solve all domain hijacks (ask me how I know :-)), but would cut down on a large number of them, and / or make recovery faster / easier[1]. W [0]: Full disclosure: Member of SSAC, contributor to a number of the above documents. [1]: This feels like a BCP38 type discussion. Not sure if posting these will make any difference, but next time there is a hijack that could have been prevented by the above, at least I can say "Nah, nah, told you so!". This is not helpful to the registrant, but might make me feel better :-P > > Someone asked me to be more precise: if the DNS hoster does both the > provisioning (including the signing) and the publication on its DNS > servers, then, DNSSEC would not help (GIGO). But if the user does the > provisioning / signing, and relies on the DNS hoster just for > publication (the user being just a stealth master), DNSSEC would > protect against blunders by the DNS hoster. > > _______________________________________________ > dns-operations mailing list > dns-operations@lists.dns-oarc.net > https://lists.dns-oarc.net/mailman/listinfo/dns-operations > dns-jobs mailing list > https://lists.dns-oarc.net/mailman/listinfo/dns-jobs -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs