[dns-operations] using DNSSEC to mitigate domain hijacking via the registrar channel

Jim Reid jim at rfc1035.com
Thu Oct 10 16:34:53 UTC 2013

On 10 Oct 2013, at 16:43, Dan York <york at isoc.org> wrote:

> there's nothing that DNSSEC or anything else could have done here

Perhaps that's the case for the incidents you described Dan.

However DNSSEC could help provide some form of two-stage authentication for these sorts of requests. Says he hand-waving...

Some sort of token which identifies the EPP transaction could be given a name and entered into the zone that's getting redelegated or whatever. That RR would need to be signed. [For bonus points, the RDATA of that RR could be that token encrypted with the private KSK or ZSK.] The registry checks this RR before acting on the EPP request, rejects it if something is wrong and raises an alarm.

This would mean an impostor would have to do more than just compromise some registrar's control panel or send a fake fax. They would need to get access to the zone and its keys. Which in an ideal world would be isolated from the boxes a registrar uses to speak to the Internet or to the registry.

More information about the dns-operations mailing list