Cga-tsig approach can make sure that the content transferred between resolvers and DNS servers is not maliciously modified by others; while this approach cannot prevent the Resource Record (RR) from being wrongly updated by the registrar (namely man-made mistakes). Then it seems that one kind of RR checking tool (especially for NS RR) is needed by the registrar, and I am wondering that have there been any such tools available yet?
Guangqing Deng CNNIC From: Hosnieh Date: 2013-08-28 15:01 To: dnsop WG; Joe Abley Subject: Re: [DNSOP] wouldn't it be nice if there was an automatic mechanism to help with this? I think this problem has a solution in IPv6, but I am not sure for IPv4. The current draft, cga-tsig proposed to automate the process of authentication of resolvers (DNS query resolution) and DNS servers (DNS update) in a secure manner. You can take a look on that draft. Best, Hosnieh > On August 27, 2013 at 5:56 PM Joe Abley <[email protected]> wrote: > > > Just saying :-) > > Begin forwarded message: > > > From: "[email protected]" <[email protected]> > > Subject: [dns-operations] Request To Clear Cache: NYTimes.com > > Date: 27 August 2013 17:55:19 EDT > > To: <[email protected]> > > Reply-To: [email protected] > > > > All, > > > > I am a DNS Administrator at NYTimes.com. Earlier today we had issues with > > our registrar updating our NS records on the root servers to a malicious > > site. The registrar has since locked our domain with the registry on our > > proper Name Servers. We have had reports that the malicious site that our > > domain was redirected to was infecting users with malware. It would be a > > great service to the internet if everyone could please clear their cache > > for NYTimes.com. I understand that several other large websites/domains > > are experience the same thing. I would not be surprised if several request > > like this come in over the list today. > > > > Thanks, > > David Porsche > > Systems Administrator > > The New York Times > > _______________________________________________ > > dns-operations mailing list > > [email protected] > > https://lists.dns-oarc.net/mailman/listinfo/dns-operations > > dns-jobs mailing list > > https://lists.dns-oarc.net/mailman/listinfo/dns-jobs > > _______________________________________________ > DNSOP mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dnsop
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
