[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

A Deep Dive on the Recent Widespread DNS Hijacking

Subject: A Deep Dive on the Recent Widespread DNS Hijacking
From: jrenken at sandwich.net (James Renken)
Date: Tue, 26 Feb 2019 15:34:26 -0600

On Feb 25, 2019, at 1:16 PM, Hank Nussbacher <hank at efes.iucc.ac.il> wrote:
> Yes if an attacker pwned the DNS then game over no matter what. I go 
> under the assumption that the attacker was not able to take over the DNS 
> system but rather other things along the way, in which case CAA should 
> be of some assistance.

Iâ??m excited about a proposed CAA extension (https://tools.ietf.org/html/draft-ietf-acme-caa-06) that would allow domain owners to restrict issuance to a particular ACME account and a particular validation method. This could provide stronger protection against most attacks short of a registry or registrar hijack. Itâ??s implemented in Letâ??s Encrypt's staging environment, and I hope itâ??s able to move forward.

-- 
James Renken (pronouns: he/him)
Internet Security Research Group
Let's Encrypt: A Free, Automated, and Open CA

Prev by Date: A Deep Dive on the Recent Widespread DNS Hijacking
Next by Date: A Deep Dive on the Recent Widespread DNS Hijacking
Previous by thread: A Deep Dive on the Recent Widespread DNS Hijacking
Next by thread: Looking for a digitalocean contact with clue.
Index(es):
- Date
- Thread