[dns-operations] using DNSSEC to mitigate domain hijacking via the registrar channel

Paul Hoffman paul.hoffman at vpnc.org
Thu Oct 10 16:41:10 UTC 2013

On Oct 10, 2013, at 9:34 AM, Jim Reid <jim at rfc1035.com> wrote:

> On 10 Oct 2013, at 16:43, Dan York <york at isoc.org> wrote:
>> there's nothing that DNSSEC or anything else could have done here
> Perhaps that's the case for the incidents you described Dan.
> However DNSSEC could help provide some form of two-stage authentication for these sorts of requests. Says he hand-waving...
> Some sort of token which identifies the EPP transaction could be given a name and entered into the zone that's getting redelegated or whatever. That RR would need to be signed. [For bonus points, the RDATA of that RR could be that token encrypted with the private KSK or ZSK.] The registry checks this RR before acting on the EPP request, rejects it if something is wrong and raises an alarm.
> This would mean an impostor would have to do more than just compromise some registrar's control panel or send a fake fax. They would need to get access to the zone and its keys. Which in an ideal world would be isolated from the boxes a registrar uses to speak to the Internet or to the registry.

My hands can wave faster than yours:

Don't use passwords for registrant-registrar interactions, use public key crypto. Put a copy of the public key in a new RRtype in the signed zone. When the current zone owner wants to change the key (similar to a password change), they update that record.

--Paul Hoffman

More information about the dns-operations mailing list