Re: [Dnssec-deployment] domain outage incident - redirected email attempts thwarted by DNSSEC
On Tue, Sep 29, 2015 at 10:59:15AM -0400, Paul Wouterswrote a message of 32 lines which said: > What made things worse is that said Registrar took over the domains > and is running those zones on their DNS servers, including an MX > record that points to an actual mailserver. For the record, the DNSDB data about that: Normal MX : bailiwick puiterwijk.org. count 10521 first seen 2013-04-26 14:04:22 - last seen 2015-09-29 21:32:40 - puiterwijk.org. MX 10 mail.puiterwijk.org. Hijacked MX : bailiwick puiterwijk.org. count 27 first seen 2015-09-27 13:32:20 - last seen 2015-09-29 13:32:05 - puiterwijk.org. MX 5 mail.b-io.co. Normal NS : bailiwick puiterwijk.org. count 48437 first seen 2013-03-23 23:58:26 - last seen 2015-09-29 20:31:16 - puiterwijk.org. NS ns0.nohats.ca. puiterwijk.org. NS ns1.nohats.ca. puiterwijk.org. NS ns2.foobar.fi. Hikacked NS : bailiwick org. count 129 first seen 2015-09-27 13:32:20 - last seen 2015-09-29 14:36:51 - puiterwijk.org. NS ns1.pendingrenewaldeletion.com. puiterwijk.org. NS ns2.pendingrenewaldeletion.com.
Re: [Dnssec-deployment] domain outage incident - redirected email attempts thwarted by DNSSEC
On Tue, Sep 29, 2015 at 10:59:15AM -0400, Paul Wouters wrote: > So, my emails to this person were not delivered to the rogue MX servers > because both he and I deployed DNSSEC. +1 Another similar example: gimp.org expired in the second week of August and entered the grace period. At this time, the registrar conveniently directed DNS to their nameserver and was serving records (how is the registrar permitted to control the domain except disabling it, when it is in grace period?). DS record at parent held and helped, at least for those who were using validating resolvers. Mukund pgp4QW3Bsqwco.pgp Description: PGP signature
Re: [Dnssec-deployment] domain outage incident - redirected email attempts thwarted by DNSSEC
Paul Wouters writes: > However, they did not modify the DS records after taking over the NS > records and MX/A records. Sadly though, they could have.