[dns-operations] using DNSSEC to mitigate domain hijacking via the registrar channel
jim at rfc1035.com
Mon Oct 14 20:02:06 UTC 2013
On 13 Oct 2013, at 08:26, Marco Davids (SIDN) <marco.davids at sidn.nl> wrote:
> Interesting thought, but I don't know, Jim. Sounds like some way of
> circular dependency to me?
Maybe Marco. I did say I was hand-waving though. :-)
That said, there might be some merit in a scheme like the one I outlined. Assuming of course that there was a clean separation between the registry-registrar channel and the management of DNS content. Which may not be there because registrars generally provide DNS for their registrants. If a bad guy has to spoof the registrants's credentials for the registrar AND change the DNS content for the domain to be hijacked, that might be a good enough barrier for "important" zones. After all they're unlikely to be hosted or managed from the registrar's control panel, less so if DNSSEC is involved.
> For instance, what would happen if the registrar would upload the wrong
> DNSKEY/DS to the parent and want to correct that? Would be impossible,
> because validation is broken at that time?
So don't do that. :-)
More information about the dns-operations