[dns-operations] using DNSSEC to mitigate domain hijacking via the registrar channel

Jim Reid jim at rfc1035.com
Mon Oct 14 20:02:06 UTC 2013

On 13 Oct 2013, at 08:26, Marco Davids (SIDN) <marco.davids at sidn.nl> wrote:

> Interesting thought, but I don't know, Jim. Sounds like some way of
> circular dependency to me?

Maybe Marco. I did say I was hand-waving though. :-)

That said, there might be some merit in a scheme like the one I outlined. Assuming of course that there was a clean separation between the registry-registrar channel and the management of DNS content. Which may not be there because registrars generally provide DNS for their registrants. If a bad guy has to spoof the registrants's credentials for the registrar AND change the DNS content for the domain to be hijacked, that might be a good enough barrier for "important" zones. After all they're unlikely to be hosted or managed from the registrar's control panel, less so if DNSSEC is involved.

> For instance, what would happen if the registrar would upload the wrong
> DNSKEY/DS to the parent and want to correct that? Would be impossible,
> because validation is broken at that time?

So don't do that. :-)

More information about the dns-operations mailing list