Zitat von Nicholas Weaver <[email protected]>:
One thought on DNSSEC and this (nytimes.com) attack.
Nickolas,
your suggestion try to solve the problem by inspecting common behaviour.
What about providing a policy statement?
I imagine an extension, where the subdomain declares an explicit
statement to the TLD
- yes, my domain awaits a NS (+DS) change in the delegating domain
- no, I do not authorise the delegating domain for any change
- no statement at all ( compatibility / legacy mode)
The statement could be a simple secret generated/assigned by the TLD
and the Subdomainowner provide this as txt record.
If the TLD receive any request for to update/change Delegation data,
it first query all *current* NS for this policy statement.
TLDs could implement this extension. If not, it don't hurt.
It's similiar to the Look state, some TLDs just provide but move the
storage of
the "look information" away from the TLD to the domainowner.
So an attacker must not only hack the registrar interface but also the
domain he wish to attack. That's more difficult.
Just my thoughts...
Andreas
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
