[dns-operations] using DNSSEC to mitigate domain hijacking via the registrar channel

Marco Davids (SIDN) marco.davids at sidn.nl
Sun Oct 13 07:26:22 UTC 2013

On 10/10/13 7:34 PM, Jim Reid wrote:
> On 10 Oct 2013, at 16:43, Dan York <york at isoc.org> wrote:
>> there's nothing that DNSSEC or anything else could have done here
> Perhaps that's the case for the incidents you described Dan.
> Some sort of token which identifies the EPP transaction could be given a name and entered into the zone that's getting redelegated or whatever. That RR would need to be signed. 

Interesting thought, but I don't know, Jim. Sounds like some way of
circular dependency to me?

For instance, what would happen if the registrar would upload the wrong
DNSKEY/DS to the parent and want to correct that? Would be impossible,
because validation is broken at that time?


More information about the dns-operations mailing list