Re: [Dnssec-deployment] domain outage incident - redirected email attempts thwarted by DNSSEC

2015-09-30 Thread Stephane Bortzmeyer 
On Tue, Sep 29, 2015 at 10:59:15AM -0400,
 Paul Wouters  wrote 
 a message of 32 lines which said:

> What made things worse is that said Registrar took over the domains
> and is running those zones on their DNS servers, including an MX
> record that points to an actual mailserver.

For the record, the DNSDB data about that:

Normal MX :

bailiwick   puiterwijk.org.
count   10521
first seen   2013-04-26 14:04:22 -
last seen   2015-09-29 21:32:40 -
puiterwijk.org.   MX   10 mail.puiterwijk.org.

Hijacked MX :

bailiwick   puiterwijk.org.
count   27
first seen   2015-09-27 13:32:20 -
last seen   2015-09-29 13:32:05 -
puiterwijk.org.   MX   5 mail.b-io.co.

Normal NS :

bailiwick   puiterwijk.org.
count   48437
first seen   2013-03-23 23:58:26 -
last seen   2015-09-29 20:31:16 -
puiterwijk.org.   NS   ns0.nohats.ca.
puiterwijk.org.   NS   ns1.nohats.ca.
puiterwijk.org.   NS   ns2.foobar.fi.

Hikacked NS :

bailiwick   org.
count   129
first seen   2015-09-27 13:32:20 -
last seen   2015-09-29 14:36:51 -
puiterwijk.org.   NS   ns1.pendingrenewaldeletion.com.
puiterwijk.org.   NS   ns2.pendingrenewaldeletion.com.

Re: [Dnssec-deployment] domain outage incident - redirected email attempts thwarted by DNSSEC

2015-09-29 Thread Mukund Sivaraman 
On Tue, Sep 29, 2015 at 10:59:15AM -0400, Paul Wouters wrote:
> So, my emails to this person were not delivered to the rogue MX servers
> because both he and I deployed DNSSEC.

+1

Another similar example: gimp.org expired in the second week of August
and entered the grace period. At this time, the registrar conveniently
directed DNS to their nameserver and was serving records (how is the
registrar permitted to control the domain except disabling it, when it
is in grace period?). DS record at parent held and helped, at least for
those who were using validating resolvers.

Mukund


pgp4QW3Bsqwco.pgp
Description: PGP signature

Re: [Dnssec-deployment] domain outage incident - redirected email attempts thwarted by DNSSEC

2015-09-29 Thread Dave Lawrence 
Paul Wouters writes:
> However, they did not modify the DS records after taking over the NS
> records and MX/A records. 

Sadly though, they could have.