[dns-operations] DNS infrastructure and disclosure (was: Verisign deep-hacked. For months.)

Andrew Sullivan ajs at anvilwalrusden.com
Fri Feb 3 13:27:57 UTC 2012

On Thu, Feb 02, 2012 at 05:22:00PM -0800, Paul Hoffman wrote:

> I see nothing in the filing that indicates that this affected (or didn't affect) Verisign's DNS operations.

It's the "or didn't affect" part that is, despite my faith in the
operations people at Verisign, most concerning.  In particular, while
the filing does say, "We have investigated and do not believe these
attacks breached the servers that support our Domain Name System
('DNS') network," it also says,

    However, given the nature of such attacks, we cannot assure that
    our remedial actions will be sufficient to thwart future attacks
    or prevent the future loss of information. In addition, although
    the Company is unaware of any situation in which possibly
    exfiltrated information has been used, we are unable to assure
    that such information was not or could not be used in the future.

The only plausible way of interpreting this is that Verisign doesn't
actually know what was lost, and therefore it doesn't know what to
look for in order to figure out whether it's been used.  Without an
explanation of why they don't believe the DNS network was breached,
it's impossible to judge whether they believe that because it would be
nice to believe it, because there's no evidence so far that it
happened, because they had a look at the logs and don't see any
evidence (but of course, we don't know whether the logs could have
been altered), or because it's impossible to move between these
networks without leaving evidence.

We also don't know what the DNS network is supposed to be -- it's not
at all clear whether they're excluding or including the registry
databases in there.  Breach of those databases could be just as bad as
actual access to the DNS servers.  

On the whole, I have to agree with the anonymous Verisign employee
quoted in the Reuters article: "It's an ugly, slim sliver of
facts. It's not enough."  It's true that Verisign is not a public
utility and it doesn't have the responsibility of transparency that we
might expect from such a utility.  But it's running a significant part
of the public infrastructure, and when it faces this sort of
compromise, it needs to tell the rest of us what it knows, and provide
reasons for us to believe those claims -- especially when the release
of the information is coming over a year after the problem happened.
This isn't a special case for Verisign: I'd expect any of the root
operators and any of the TLD operators -- and I might extend this to
any ICANN-accredited registrar -- to hold to the same standard.  In
this case, we have the advantage that Verisign is a public company, so
the SEC filing forces the revelation.  Many other organizations in
this business aren't in the same boat (e.g. privately-held, not
incorporated in the US so not subject to the SEC, or government

Best regards,


Andrew Sullivan
ajs at anvilwalrusden.com

More information about the dns-operations mailing list