[dns-operations] Another whitepaper on DDOS
warren at kumari.net
Tue Feb 26 20:45:03 UTC 2013
On Feb 25, 2013, at 8:18 PM, Vernon Schryver <vjs at rhyolite.com> wrote:
>> From: Tony Finch <dot at dotat.at>
>>>> But the errornous transfer of ebay.de would create a deasaster with DANE.
>>> In what way would DANE make the theft of a domain worse?
>> In addition to vjs's points, note that DNSSEC makes theft of a domain even
>> more visible because it is likely to cause horrible breakage for
>> validating users.
> I didn't mention those alarms, because I assumed the domain was
> stolen at the registrar or in the registry so that glue and DS
> records would be corrected by the adversary.
As we have seen, when simply rolling keys getting the timing correct is "tricky", and folk often manage to screw things up.
I suspect that, in a non-insignificant number of cases, the adversary would cause temporary validation failures for a number of folk, which may provide a signal that something has gone South… :-P
> I didn't recall the
> particular theft, but assumed it involved the common modes of seizure
> by the registrar or the use of stolen credentials at the registrar.
> Only if the theft is downstream of the registry such as in a master
> authoritative server for the domain would DNSSEC raise alarms. Those
> alarms are valuable, but I didn't want to argue nits with people who
> after much more than a decade and many public scandles, still haven't
> twigged to the unredeemable fraud that is commercial PKI.
> Never mind the irony in the likely fact that the use of stolen
> registrar credentials would be "protected (sic)" by commercial PKI.
> Vernon Schryver vjs at rhyolite.com
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> dns-jobs mailing list
I don't think the execution is relevant when it was obviously a bad idea in the first place.
This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants.
warren at kumari.net
More information about the dns-operations