Re: A Deep Dive on the Recent Widespread DNS Hijacking

> On Feb 26, 2019, at 1:34 PM, James Renken via NANOG wrote: > > On Feb 25, 2019, at 5:20 AM, Bill Woodcock wrote: >> We know that neither Comodo nor Let's Encrypt were DNSSEC validating before >> issuing certs. > > I’d like to clarify that Let’s Encrypt has always validated DNSSEC, dating

Re: A Deep Dive on the Recent Widespread DNS Hijacking

On Feb 25, 2019, at 1:16 PM, Hank Nussbacher wrote: > Yes if an attacker pwned the DNS then game over no matter what. I go > under the assumption that the attacker was not able to take over the DNS > system but rather other things along the way, in which case CAA should > be of some

Re: A Deep Dive on the Recent Widespread DNS Hijacking

On Feb 25, 2019, at 5:20 AM, Bill Woodcock wrote: > We know that neither Comodo nor Let's Encrypt were DNSSEC validating before > issuing certs. I’d like to clarify that Let’s Encrypt has always validated DNSSEC, dating to before we issued our first publicly trusted certificate in September

Re: A Deep Dive on the Recent Widespread DNS Hijacking

> On 26 Feb 2019, at 21:58, Bill Woodcock wrote: > > > >> On Feb 26, 2019, at 8:12 AM, John Levine wrote: >> >> In article >> you >> write: >>> Swapping the DNS cabal for the CA cabal is not an improvement. Right? They >>> are really the same arbitraging rent-seekers, just different

Re: A Deep Dive on the Recent Widespread DNS Hijacking

> On Feb 24, 2019, at 9:20 PM, Bill Woodcock wrote: > > > >> On Feb 24, 2019, at 7:41 PM, Montgomery, Douglas (Fed) >> wrote: >> In the 3rd attack noted below, do we know if the CA that issued the DV CERTS >> does DNSSEC validation on its DNS challenge queries? > > We know that neither

Re: A Deep Dive on the Recent Widespread DNS Hijacking

On February 26, 2019 at 20:45 jo...@iecc.com (John Levine) wrote: > In article <3fd86d54-7fe4-4e1d-8c8d-a4d79f030...@pch.net> you write: > >That’s the main reason for having a brand TLD at this point, from my point > >of view. It’s the reason I’d get one in a heartbeat, if I could afford

Re: A Deep Dive on the Recent Widespread DNS Hijacking

In article <3fd86d54-7fe4-4e1d-8c8d-a4d79f030...@pch.net> you write: >That’s the main reason for having a brand TLD at this point, from my point of >view. It’s the reason I’d get one in a heartbeat, if I could afford the fees. Well, actually, you can't get one. The 2013 round is still working

Re: A Deep Dive on the Recent Widespread DNS Hijacking

> On Feb 26, 2019, at 1:25 PM, Nico Cartron wrote: > > > >> On 26 Feb 2019, at 21:58, Bill Woodcock wrote: >> >> >> >>> On Feb 26, 2019, at 8:12 AM, John Levine wrote: >>> >>> In article >>> you >>> write: Swapping the DNS cabal for the CA cabal is not an improvement. Right?

Re: A Deep Dive on the Recent Widespread DNS Hijacking

> On Feb 26, 2019, at 8:12 AM, John Levine wrote: > > In article > you > write: >> Swapping the DNS cabal for the CA cabal is not an improvement. Right? They >> are really the same arbitraging rent-seekers, just different layers. > > The models are different. If I want to compromise your

Re: A Deep Dive on the Recent Widespread DNS Hijacking

> On 27 Feb 2019, at 6:46 am, Bill Woodcock wrote: > > > >> On Feb 26, 2019, at 9:15 AM, Jacques Latour wrote: >> DNSSEC should of never been part of the domain registration process, it was >> because we didn’t have the CDS/CDNSKEY channel to automated the DS >> maintenance and

Re: A Deep Dive on the Recent Widespread DNS Hijacking

> On Feb 26, 2019, at 5:35 AM, Ca By wrote: > DNS guy says the solution for insecure DNS… I am not a DNS guy. I’m a routing guy who became a routing-economics guy as my hair got pointier. Stephane and Allison and Bert and Olafur are DNS people, to pick a few examples. And I believe that,

Re: A Deep Dive on the Recent Widespread DNS Hijacking

> On Feb 26, 2019, at 9:15 AM, Jacques Latour wrote: > DNSSEC should of never been part of the domain registration process, it was > because we didn’t have the CDS/CDNSKEY channel to automated the DS > maintenance and bootstrap. But if you keep DNSSEC maintenance outside the > registrar

RE: A Deep Dive on the Recent Widespread DNS Hijacking

Cc: nanog@nanog.org Subject: Re: A Deep Dive on the Recent Widespread DNS Hijacking > On Feb 24, 2019, at 10:03 PM, Hank Nussbacher > mailto:h...@efes.iucc.ac.il>> wrote: > Did you have a CAA record defined and if not, why not? It’s something we’d been planning to do but, ironic

Re: A Deep Dive on the Recent Widespread DNS Hijacking

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Mon, 2019-02-25 at 17:04 +1100, Mark Andrews wrote: > I would also note that a organisation can deploy RFC 5011 for their > own zones and have their own equipment use DNSKEYs managed using RFC > 5011 for their own zones. This isolates the

Re: A Deep Dive on the Recent Widespread DNS Hijacking

In article you write: >Swapping the DNS cabal for the CA cabal is not an improvement. Right? They >are really the same arbitraging rent-seekers, just different layers. The models are different. If I want to compromise your DNS I need to attack your specific registrar. If I want a bogus

Re: A Deep Dive on the Recent Widespread DNS Hijacking

valdis.kletni...@vt.edu wrote: > > Unless you get it down to the SMS "wait for a msg, type in the 6 digit number" > level, it's going to be a tough start... Isn't this what Duo's business is based on? Usable TOTP? See also Google Authenticator, Authy, 1Password, etc. usw. Tony. --

Re: A Deep Dive on the Recent Widespread DNS Hijacking

On Tue, Feb 26, 2019 at 6:25 AM David Conrad wrote: > On Feb 26, 2019, at 2:35 PM, Ca By wrote: > > On Tue, Feb 26, 2019 at 1:58 AM Bill Woodcock wrote: > >> > On Feb 24, 2019, at 10:03 PM, Hank Nussbacher >> wrote: >> > Did you have a CAA record defined and if not, why not? >> >> It’s

Re: A Deep Dive on the Recent Widespread DNS Hijacking

On Feb 26, 2019, at 2:35 PM, Ca By wrote: > On Tue, Feb 26, 2019 at 1:58 AM Bill Woodcock > wrote: > > On Feb 24, 2019, at 10:03 PM, Hank Nussbacher > > wrote: > > Did you have a CAA record defined and if not, why not? > > It’s something we’d

Re: A Deep Dive on the Recent Widespread DNS Hijacking

On Tue, Feb 26, 2019 at 1:58 AM Bill Woodcock wrote: > > > > On Feb 24, 2019, at 10:03 PM, Hank Nussbacher > wrote: > > Did you have a CAA record defined and if not, why not? > > It’s something we’d been planning to do but, ironically, we’d been in the > process of switching to Let’s Encrypt,

Re: A Deep Dive on the Recent Widespread DNS Hijacking

Bill Woodcock writes: > We need to get switched over to DANE as quickly as possible, and stop > wasting effort trying to keep the CA system alive with ever-hackier > band-aids. Sure. Just won't happen as long as there is money left in the CA business. Bjørn

Re: A Deep Dive on the Recent Widespread DNS Hijacking

Le 2019-02-26 11:04, Sander Steffann a écrit : Op 26 feb. 2019, om 10:56 heeft Bill Woodcock het volgende geschreven: We need to get switched over to DANE as quickly as possible, and stop wasting effort trying to keep the CA system alive with ever-hackier band-aids. +1 Sander +1 mh

Re: A Deep Dive on the Recent Widespread DNS Hijacking

> Op 26 feb. 2019, om 10:56 heeft Bill Woodcock het volgende > geschreven: > > We need to get switched over to DANE as quickly as possible, and stop wasting > effort trying to keep the CA system alive with ever-hackier band-aids. +1 Sander signature.asc Description: Message signed with

Re: A Deep Dive on the Recent Widespread DNS Hijacking

> On Feb 24, 2019, at 10:03 PM, Hank Nussbacher wrote: > Did you have a CAA record defined and if not, why not? It’s something we’d been planning to do but, ironically, we’d been in the process of switching to Let’s Encrypt, and they were one of the two CAs whose process vulnerabilities the

Re: A Deep Dive on the Recent Widespread DNS Hijacking

On Tue, Feb 26, 2019 at 4:05 AM wrote: > So what registries/registrars are supporting 2FA that's better than SMS? > Or since 98% of domain names are Bait type, is nobody bothering > to support something for the 2% that could use it? Gandi does TOTP and CIDR filtering, that is, you can give them

Re: A Deep Dive on the Recent Widespread DNS Hijacking

On Mon, Feb 25, 2019 at 8:02 PM wrote: > So what registries/registrars are supporting 2FA that's better than SMS? > Or since 98% of domain names are Bait type, is nobody bothering > to support something for the 2% that could use it? If Joe's Bait and Tackle buys from Namecheap, they can utilize

Re: A Deep Dive on the Recent Widespread DNS Hijacking

Markmonitor runs a registrar popular with fortune 500s that implements additional security steps, and talking to a clued in live human in the loop to modify anything in your domain record. On Mon, Feb 25, 2019, 6:03 PM wrote: > On Mon, 25 Feb 2019 18:23:44 -0700, Paul Ebersman said: > > >

Re: A Deep Dive on the Recent Widespread DNS Hijacking

On Mon, 25 Feb 2019 18:23:44 -0700, Paul Ebersman said: > Agreed. But this also gets down to the risk vs hassle tradeoff. Joe's > Bait & Tackle Shop probably isn't getting attacked by nation states who > can hack SS7, so SMS text might be good enough. And certainly better > than just an 8 char

Re: A Deep Dive on the Recent Widespread DNS Hijacking

ebersman> Yup. This is a good example of what I'm advocating. Just ebersman> saying "use 2FA" or "use DNSSEC" or "have a CAA" isn't ebersman> sufficient detail to make informed decisions of ebersman> risk/effort/reward tradeoffs. Simplistic suggestions without ebersman> details or context isn't

Re: A Deep Dive on the Recent Widespread DNS Hijacking

Speaking of registrars vs registries - I've noticed some companies have become their own registrar to improve their domain security (Cloudflare, Google, etc.). Is that a feasible path for smaller organizations? How much risk does that mitigate? It seems like it gives the organization control over

Re: A Deep Dive on the Recent Widespread DNS Hijacking

On Mon, 25 Feb 2019 12:14:59 -0700, Paul Ebersman said: > ekuhnke> One thing to consider with authentication for domain registrar > ekuhnke> accounts: > > ekuhnke> DO NOT USE 2FA VIA SMS. > > Yup. This is a good example of what I'm advocating. Just saying "use > 2FA" or "use DNSSEC" or "have a

Re: A Deep Dive on the Recent Widespread DNS Hijacking

ekuhnke> One thing to consider with authentication for domain registrar ekuhnke> accounts: ekuhnke> DO NOT USE 2FA VIA SMS. Yup. This is a good example of what I'm advocating. Just saying "use 2FA" or "use DNSSEC" or "have a CAA" isn't sufficient detail to make informed decisions of

Re: A Deep Dive on the Recent Widespread DNS Hijacking

ebersman> If someone owns your registry account, you're screwed. And ebersman> right now, it tends to be the most neglected part of the ebersman> entire zone ownership world. Let's use this opportunity to ebersman> help folks lock down their accounts, not muddying the waters ebersman> with dubious

Re: A Deep Dive on the Recent Widespread DNS Hijacking

One thing to consider with authentication for domain registrar accounts: DO NOT USE 2FA VIA SMS. This is a known attack vector that's been used by SS7 hijacking techniques for several well documented thefts of cryptocurrency, from people who were known to be holding large amounts of (bitcoin,

Re: A Deep Dive on the Recent Widespread DNS Hijacking

> On Feb 25, 2019, at 09:25 , Paul Ebersman wrote: > > ebersman> If someone owns your registry account, you're screwed. And > ebersman> right now, it tends to be the most neglected part of the > ebersman> entire zone ownership world. Let's use this opportunity to > ebersman> help folks lock

Re: A Deep Dive on the Recent Widespread DNS Hijacking

Hi Paul, > Reread this and felt I should clarify that I realize that John and Doug > are not the ones saying DNSSEC is useless. I just hate to see the knee > jerk "oh, see, DNSSEC didn't save the day so it's obviously > useless". Let's give the world a better explanation. Security is only as

Re: A Deep Dive on the Recent Widespread DNS Hijacking

ebersman> If someone owns your registry account, you're screwed. And ebersman> right now, it tends to be the most neglected part of the ebersman> entire zone ownership world. Let's use this opportunity to ebersman> help folks lock down their accounts, not muddying the waters ebersman> with dubious

Re: A Deep Dive on the Recent Widespread DNS Hijacking

dougm> You are right, if you can compromise a registrar that permits dougm> DNSSEC to be disabled (without notification/confirmation to POCs dougm> etc), then you only have a limited period (max of DS TTL) of dougm> protection for those resolvers that have already cached the DS. johnl> As far as

Re: A Deep Dive on the Recent Widespread DNS Hijacking

On 25/02/2019 11:37, Ask Bjørn Hansen wrote: On Feb 24, 2019, at 22:03, Hank Nussbacher wrote: Did you have a CAA record defined and if not, why not? If the attacker got a CA to issue the cert because they changed the DNS server to be their own, a CAA record wouldn’t have helped (or at

Re: A Deep Dive on the Recent Widespread DNS Hijacking

Mark Andrews wrote: > > An organisation can also deploy DLV for their own zones using their own > registry. While the current code DLV validating code is only invoked > when the response validates as insecure, there is nothing preventing a > policy which says that DLV trumps or must also

Re: A Deep Dive on the Recent Widespread DNS Hijacking

> On Feb 24, 2019, at 22:03, Hank Nussbacher wrote: > > Did you have a CAA record defined and if not, why not? If the attacker got a CA to issue the cert because they changed the DNS server to be their own, a CAA record wouldn’t have helped (or at least been even easier to thwart than

Re: A Deep Dive on the Recent Widespread DNS Hijacking

Subject: Re: A Deep Dive on the Recent Widespread DNS Hijacking Date: Mon, Feb 25, 2019 at 05:04:39PM +1100 Quoting Mark Andrews (ma...@isc.org): > I would also note that a organisation can deploy RFC 5011 for their own > zones and have their own equipment use DNSKEYs managed > using

Re: A Deep Dive on the Recent Widespread DNS Hijacking

> On 25 Feb 2019, at 4:34 pm, Bill Woodcock wrote: > > > >> On Feb 24, 2019, at 5:51 PM, Keith Medcalf wrote: >> >> That they also "forgot" to disable DNSSEC on PCH is not particularly >> relevant. It only goes to prove my point that DNSSEC is irrelevant and only >> gives a false sense

Re: A Deep Dive on the Recent Widespread DNS Hijacking

On 25/02/2019 07:20, Bill Woodcock wrote: On Feb 24, 2019, at 7:41 PM, Montgomery, Douglas (Fed) wrote: In the 3rd attack noted below, do we know if the CA that issued the DV CERTS does DNSSEC validation on its DNS challenge queries? We know that neither Comodo nor Let's Encrypt were DNSSEC

Re: A Deep Dive on the Recent Widespread DNS Hijacking

> On Feb 24, 2019, at 5:51 PM, Keith Medcalf wrote: > > That they also "forgot" to disable DNSSEC on PCH is not particularly > relevant. It only goes to prove my point that DNSSEC is irrelevant and only > gives a false sense of security (for this particular attack vector). For those

Re: A Deep Dive on the Recent Widespread DNS Hijacking

> On Feb 24, 2019, at 7:41 PM, Montgomery, Douglas (Fed) wrote: > In the 3rd attack noted below, do we know if the CA that issued the DV CERTS > does DNSSEC validation on its DNS challenge queries? We know that neither Comodo nor Let's Encrypt were DNSSEC validating before issuing certs.

Re: A Deep Dive on the Recent Widespread DNS Hijacking

DS records, but that would merely "complicate" > matters for the scripties and would not be protective ... > > > --- > The fact that there's a Highway to Hell but only a Stairway to Heaven > says a lot about anticipated traffic volume. > > >-Orig

Re: A Deep Dive on the Recent Widespread DNS Hijacking

On Mon, Feb 25, 2019, 1:30 PM John Levine wrote: > > You are right, if you can compromise a registrar that permits DNSSEC to > be disabled (without notification/confirmation to POCs > > etc), then you only have a limited period (max of DS TTL) of protection > for those resolvers that have

Re: A Deep Dive on the Recent Widespread DNS Hijacking

In article you write: >You are right, if you can compromise a registrar that permits DNSSEC to be >disabled (without notification/confirmation to POCs >etc), then you only have a limited period (max of DS TTL) of protection for >those resolvers that have already cached the DS. As far as I can

Re: A Deep Dive on the Recent Widespread DNS Hijacking

long timeouts on your DS records, but that would merely > "complicate" matters for the scripties and would not be protective ... > > > --- > The fact that there's a Highway to Hell but only a Stairway to Heaven > says a lot about anticipated traffic volume. &

Re: A Deep Dive on the Recent Widespread DNS Hijacking

to Hell but only a Stairway to Heaven says a lot about anticipated traffic volume. >-Original Message- >From: Montgomery, Douglas (Fed) [mailto:do...@nist.gov] >Sent: Sunday, 24 February, 2019 15:38 >To: nanog@nanog.org >Cc: kmedc...@dessus.com

RE: A Deep Dive on the Recent Widespread DNS Hijacking

ume. >-Original Message- >From: Montgomery, Douglas (Fed) [mailto:do...@nist.gov] >Sent: Sunday, 24 February, 2019 15:38 >To: nanog@nanog.org >Cc: kmedc...@dessus.com >Subject: RE: A Deep Dive on the Recent Widespread DNS Hijacking > >You might have missed reading the ve

RE: A Deep Dive on the Recent Widespread DNS Hijacking

stems Research @ NIST Date: Sat, 23 Feb 2019 12:13:41 -0700 From: "Keith Medcalf" To: "nanog@nanog.org" Subject: RE: A Deep Dive on the Recent Widespread DNS Hijacking Attacks Message-ID: <6e31d305aee69c4d85116e6a81d0c...@mail.des

Re: A Deep Dive on the Recent Widespread DNS Hijacking Attacks

> On Feb 23, 2019, at 11:13 AM, Keith Medcalf wrote: > > So in other words this was just an old school script kiddie taking advantage > of DNS registrars, the only difference being this was a whole whack of script > kiddies acting in concert directed by a not-quite-so-stupid script kiddie,

RE: A Deep Dive on the Recent Widespread DNS Hijacking Attacks

On Saturday, 23 February, 2019 10:03, Stephane Bortzmeyer wrote: >Very good article, very detailed, with a lot of technical precisions, >about the recent domain name hijackings (not using the DNS, just good >old hijackings at registrar or hoster).