Re: A Deep Dive on the Recent Widespread DNS Hijacking

On Tue, Feb 26, 2019 at 4:05 AM wrote: > So what registries/registrars are supporting 2FA that's better than SMS? > Or since 98% of domain names are Bait type, is nobody bothering > to support something for the 2% that could use it? Gandi does TOTP and CIDR filtering, that is, you can give them

Re: A Deep Dive on the Recent Widespread DNS Hijacking

> On Feb 24, 2019, at 10:03 PM, Hank Nussbacher wrote: > Did you have a CAA record defined and if not, why not? It’s something we’d been planning to do but, ironically, we’d been in the process of switching to Let’s Encrypt, and they were one of the two CAs whose process vulnerabilities the

Re: A Deep Dive on the Recent Widespread DNS Hijacking

> Op 26 feb. 2019, om 10:56 heeft Bill Woodcock het volgende > geschreven: > > We need to get switched over to DANE as quickly as possible, and stop wasting > effort trying to keep the CA system alive with ever-hackier band-aids. +1 Sander signature.asc Description: Message signed with

Re: A Deep Dive on the Recent Widespread DNS Hijacking

Bill Woodcock writes: > We need to get switched over to DANE as quickly as possible, and stop > wasting effort trying to keep the CA system alive with ever-hackier > band-aids. Sure. Just won't happen as long as there is money left in the CA business. Bjørn

Re: A Deep Dive on the Recent Widespread DNS Hijacking

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Mon, 2019-02-25 at 17:04 +1100, Mark Andrews wrote: > I would also note that a organisation can deploy RFC 5011 for their > own zones and have their own equipment use DNSKEYs managed using RFC > 5011 for their own zones. This isolates the

Re: 2FA, was A Deep Dive on the Recent Widespread DNS Hijacking

On 2/25/19 9:59 PM, Keith Medcalf wrote: Are you offering an indemnity in case that code is malicious? What are the terms and the amount of the indemnity? Anyone who is that paranoid should read the RFC and write their own TOTP client that lets them indemnify themselves from their own

Re: A Deep Dive on the Recent Widespread DNS Hijacking

valdis.kletni...@vt.edu wrote: > > Unless you get it down to the SMS "wait for a msg, type in the 6 digit number" > level, it's going to be a tough start... Isn't this what Duo's business is based on? Usable TOTP? See also Google Authenticator, Authy, 1Password, etc. usw. Tony. --

Re: DANE, was A Deep Dive on the Recent Widespread DNS Hijacking

In article you write: >We need to get switched over to DANE as quickly as possible, and stop wasting >effort trying to keep the CA system alive with >ever-hackier band-aids. What's the DANE version of a green-bar cert?

Re: A Deep Dive on the Recent Widespread DNS Hijacking

In article you write: >Swapping the DNS cabal for the CA cabal is not an improvement. Right? They >are really the same arbitraging rent-seekers, just different layers. The models are different. If I want to compromise your DNS I need to attack your specific registrar. If I want a bogus

Re: A Deep Dive on the Recent Widespread DNS Hijacking

On Feb 26, 2019, at 2:35 PM, Ca By wrote: > On Tue, Feb 26, 2019 at 1:58 AM Bill Woodcock > wrote: > > On Feb 24, 2019, at 10:03 PM, Hank Nussbacher > > wrote: > > Did you have a CAA record defined and if not, why not? > > It’s something we’d

Re: A Deep Dive on the Recent Widespread DNS Hijacking

On Tue, Feb 26, 2019 at 1:58 AM Bill Woodcock wrote: > > > > On Feb 24, 2019, at 10:03 PM, Hank Nussbacher > wrote: > > Did you have a CAA record defined and if not, why not? > > It’s something we’d been planning to do but, ironically, we’d been in the > process of switching to Let’s Encrypt,

Re: A Deep Dive on the Recent Widespread DNS Hijacking

On Tue, Feb 26, 2019 at 6:25 AM David Conrad wrote: > On Feb 26, 2019, at 2:35 PM, Ca By wrote: > > On Tue, Feb 26, 2019 at 1:58 AM Bill Woodcock wrote: > >> > On Feb 24, 2019, at 10:03 PM, Hank Nussbacher >> wrote: >> > Did you have a CAA record defined and if not, why not? >> >> It’s

Re: A Deep Dive on the Recent Widespread DNS Hijacking

In article <3fd86d54-7fe4-4e1d-8c8d-a4d79f030...@pch.net> you write: >That’s the main reason for having a brand TLD at this point, from my point of >view. It’s the reason I’d get one in a heartbeat, if I could afford the fees. Well, actually, you can't get one. The 2013 round is still working

RE: 2FA, was A Deep Dive on the Recent Widespread DNS Hijacking

I did write my own TOTP client. However, why do you assume that I am talking about a TOTP client and not the referred webpage which requires the unfettered execution of third-party (likely malicious) javascript in order to view? Not to mention requiring the use of (also quite possibly

Re: 2FA, was A Deep Dive on the Recent Widespread DNS Hijacking

On Tue, Feb 26, 2019 at 9:56 PM Keith Medcalf wrote: > I did write my own TOTP client. However, why do you assume that I am talking > about a TOTP client and not the referred webpage which requires the > unfettered execution of third-party (likely malicious) javascript in order to > view?

Re: 2FA, was A Deep Dive on the Recent Widespread DNS Hijacking

Okay that was *clearly* a troll. On Tue, Feb 26, 2019 at 10:58 PM Keith Medcalf wrote: > > I did write my own TOTP client. However, why do you assume that I am > talking about a TOTP client and not the referred webpage which requires the > unfettered execution of third-party (likely malicious)

Re: DANE, was A Deep Dive on the Recent Widespread DNS Hijacking

On 27/2/19 3:10 am, John Levine wrote: > In article you write: >> We need to get switched over to DANE as quickly as possible, and stop >> wasting effort trying to keep the CA system alive with >> ever-hackier band-aids. > > What's the DANE version of a green-bar cert? You mean the EV

Re: A Deep Dive on the Recent Widespread DNS Hijacking

On February 26, 2019 at 20:45 jo...@iecc.com (John Levine) wrote: > In article <3fd86d54-7fe4-4e1d-8c8d-a4d79f030...@pch.net> you write: > >That’s the main reason for having a brand TLD at this point, from my point > >of view. It’s the reason I’d get one in a heartbeat, if I could afford

Re: A Deep Dive on the Recent Widespread DNS Hijacking

Le 2019-02-26 11:04, Sander Steffann a écrit : Op 26 feb. 2019, om 10:56 heeft Bill Woodcock het volgende geschreven: We need to get switched over to DANE as quickly as possible, and stop wasting effort trying to keep the CA system alive with ever-hackier band-aids. +1 Sander +1 mh

Re: A Deep Dive on the Recent Widespread DNS Hijacking

> On Feb 26, 2019, at 9:15 AM, Jacques Latour wrote: > DNSSEC should of never been part of the domain registration process, it was > because we didn’t have the CDS/CDNSKEY channel to automated the DS > maintenance and bootstrap. But if you keep DNSSEC maintenance outside the > registrar

RE: A Deep Dive on the Recent Widespread DNS Hijacking

DNSSEC should of never been part of the domain registration process, it was because we didn’t have the CDS/CDNSKEY channel to automated the DS maintenance and bootstrap. But if you keep DNSSEC maintenance outside the registrar control then it can be effective tool (amongst other) in identifying

Re: 2FA, was A Deep Dive on the Recent Widespread DNS Hijacking

On Tue, 26 Feb 2019 08:36:11 -0800, Seth Mattinen said: > On 2/25/19 9:59 PM, Keith Medcalf wrote: > > Are you offering an indemnity in case that code is malicious? What are the > > terms and the amount of the indemnity? > Anyone who is that paranoid should read the RFC and write their own TOTP

Re: A Deep Dive on the Recent Widespread DNS Hijacking

> On Feb 26, 2019, at 1:25 PM, Nico Cartron wrote: > > > >> On 26 Feb 2019, at 21:58, Bill Woodcock wrote: >> >> >> >>> On Feb 26, 2019, at 8:12 AM, John Levine wrote: >>> >>> In article >>> you >>> write: Swapping the DNS cabal for the CA cabal is not an improvement. Right?

Re: A Deep Dive on the Recent Widespread DNS Hijacking

> On 27 Feb 2019, at 6:46 am, Bill Woodcock wrote: > > > >> On Feb 26, 2019, at 9:15 AM, Jacques Latour wrote: >> DNSSEC should of never been part of the domain registration process, it was >> because we didn’t have the CDS/CDNSKEY channel to automated the DS >> maintenance and

Re: A Deep Dive on the Recent Widespread DNS Hijacking

> On Feb 26, 2019, at 8:12 AM, John Levine wrote: > > In article > you > write: >> Swapping the DNS cabal for the CA cabal is not an improvement. Right? They >> are really the same arbitraging rent-seekers, just different layers. > > The models are different. If I want to compromise your

Re: 2FA, was A Deep Dive on the Recent Widespread DNS Hijacking

On Tue, Feb 26, 2019 at 9:51 AM wrote: > On Tue, 26 Feb 2019 08:36:11 -0800, Seth Mattinen said: > > On 2/25/19 9:59 PM, Keith Medcalf wrote: > > > Are you offering an indemnity in case that code is malicious? What > are the > > > terms and the amount of the indemnity? > > > Anyone who is that

Re: A Deep Dive on the Recent Widespread DNS Hijacking

> On Feb 26, 2019, at 5:35 AM, Ca By wrote: > DNS guy says the solution for insecure DNS… I am not a DNS guy. I’m a routing guy who became a routing-economics guy as my hair got pointier. Stephane and Allison and Bert and Olafur are DNS people, to pick a few examples. And I believe that,