[dns-operations] summary of recent vulnerabilities in DNS security.

Warren Kumari warren at kumari.net
Mon Oct 21 21:15:26 UTC 2013

On Oct 21, 2013, at 4:39 PM, Phil Regnauld <regnauld at nsrc.org> wrote:

> Michele Neylon - Blacknight (michele) writes:
>>> Yes, I've noticed that Google is still not signing.  Maybe the
>>> continuing hijackings of their ccTLD domains will move them.
>> I suspect they're more interested in getting "registry lock" in place rather than DNSSEC.
> 	That'd be assuming most registries have the concept of lock, which is
> 	far from being the case.

Some do, some don't… 
In some cases the "registry lock" is actually just a comment in a zone file, saying something along  the lines of:
; -------- WARNING ---------
; Don't change this!
; Call Warren at +1-xxx-xxx-xxxx before making any changes.
; -------- WARNING -------

In a number of cases registries don't "officially" support locks, but have been willing to do something unusual for a beer / friend.

>> Most of the attacks against Google have involved changing the name servers completely .. 
> 	Through social engineering and sometimes through directed attacks, yes.

Sadly yes. 


> 	Cheers,
> 	Phil
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

Tsort's Constant: 
1.67563, or precisely 1,237.98712567 times the difference between the distance to the sun and the weight of a small orange. 
-- Terry Pratchett, "The Light Fantastic" (slightly modified)

More information about the dns-operations mailing list