On Wed, Aug 13, 2014 at 3:38 AM, Stephane Bortzmeyer bortzme...@nic.fr wrote:
On Tue, Aug 12, 2014 at 06:59:37PM +0200,
Stephane Bortzmeyer bortzme...@nic.fr wrote
a message of 14 lines which said:
The author says your domain name registrar can introduce an error to
the root domain database and match your domain to an incorrect DNS
servers (this actually happened earlier in history of some domain
registrars) but my human memory cannot find an actual documented
case. Anyone can mention one or was it just speculation?
One case mentioned by Tony which is not exactly that, but close:
http://news.netcraft.com/archives/2005/01/18/lapse_at_melbourne_it_enabled_panixcom_hijacking.html
One mentioned in ANSSI's guide on DNS:
http://blogs.cisco.com/security/hijacking-of-dns-records-from-network-solutions/
[If you take Network Solutions' words literally...]
DNSSEC would have mitigated the problem if the domain had been
properly managed, which was apparently not the case.
ObRef:
SAC044 - A Registrant's Guide to Protecting Domain Name Registration
Accounts [https://www.icann.org/en/groups/ssac/documents/sac-044-en.pdf]
SAC040 - Measures to Protect Domain Registration Services Against
Exploitation or Misuse
[https://www.icann.org/en/groups/ssac/documents/sac-040-en.pdf (also
available in multiple languages, links here:
https://www.icann.org/resources/pages/documents-2012-02-25-en)]
SAC028 - Registrar Impersonation Phishing Attacks
[https://www.icann.org/en/groups/ssac/documents/sac-028-en.pdf]
SAC007 - Domain Name Hijacking Report (SAC007) (12 July 2005)
[https://www.icann.org/announcements/hijacking-report-12jul05.pdf]
SAC049 - DNS Zone Risk Assessment and Management (03 June 2011)
[https://www.icann.org/en/groups/ssac/documents/sac-049-en.pdf]
Unfortunately many registrants are not adequately protecting their
domains, especially the registrar credentials. The suggestions in the
above documents[0] don't solve all domain hijacks (ask me how I know
:-)), but would cut down on a large number of them, and / or make
recovery faster / easier[1].
W
[0]: Full disclosure: Member of SSAC, contributor to a number of the
above documents.
[1]: This feels like a BCP38 type discussion. Not sure if posting
these will make any difference, but next time there is a hijack that
could have been prevented by the above, at least I can say Nah, nah,
told you so!. This is not helpful to the registrant, but might make
me feel better :-P
Someone asked me to be more precise: if the DNS hoster does both the
provisioning (including the signing) and the publication on its DNS
servers, then, DNSSEC would not help (GIGO). But if the user does the
provisioning / signing, and relies on the DNS hoster just for
publication (the user being just a stealth master), DNSSEC would
protect against blunders by the DNS hoster.
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
--
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
---maf
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
