[dns-operations] auth servers in different TLDs

Warren Kumari warren at kumari.net
Wed Apr 18 21:21:31 UTC 2018

On Wed, Apr 18, 2018 at 4:24 PM, Robert Edmonds <edmonds at mycre.ws> wrote:
> Stephane Bortzmeyer wrote:
>> On Tue, Apr 17, 2018 at 09:46:01AM -0400,
>>  Bob Harold <rharolde at umich.edu> wrote
>>  a message of 153 lines which said:
>> > On the other hand, anyone who compromises any of the TLD's that you
>> > use for NS records would be able to compromise your domain, so it
>> > could be a disadvantage to use several TLD's.
>> Luckily, there is a technical solution for this problem, DNSSEC.
> Unless the attacker also publishes compromised DS records?

Yeah, I started writing a ranty response to Stephane saying exactly
that -- and then realized that the attacker would need to publish the
DS in .net (for gmx.net) -- publishing bad DS records just along the
delegation path would, AFAICT, at best result in a DoS.
If your *parent* gets 0wned though, yes, you are out of luck....


> --
> Robert Edmonds
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.

More information about the dns-operations mailing list