[dns-operations] Another whitepaper on DDOS

Vernon Schryver vjs at rhyolite.com
Tue Feb 26 01:18:19 UTC 2013

> From: Tony Finch <dot at dotat.at>

> > > But the errornous transfer of ebay.de would create a deasaster with DANE.
> >
> > In what way would DANE make the theft of a domain worse?
> In addition to vjs's points, note that DNSSEC makes theft of a domain even
> more visible because it is likely to cause horrible breakage for
> validating users.

I didn't mention those alarms, because I assumed the domain was
stolen at the registrar or in the registry so that glue and DS
records would be corrected by the adversary.  I didn't recall the
particular theft, but assumed it involved the common modes of seizure
by the registrar or the use of stolen credentials at the registrar.

Only if the theft is downstream of the registry such as in a master
authoritative server for the domain would DNSSEC raise alarms.  Those
alarms are valuable, but I didn't want to argue nits with people who
after much more than a decade and many public scandles, still haven't
twigged to the unredeemable fraud that is commercial PKI.

Never mind the irony in the likely fact that the use of stolen
registrar credentials would be "protected (sic)" by commercial PKI.

Vernon Schryver    vjs at rhyolite.com

More information about the dns-operations mailing list