[dns-operations] BGP Hijack of Amazon DNS

Paul Ebersman list-dns-operations at dragon.net
Thu Apr 26 23:03:38 UTC 2018


bert.hubert> Another important thing is that even a brief BGP hijack of
bert.hubert> DNS *persists*.  A 5 minute takeover can poison people's
bert.hubert> caches for a day or more.

A rather crucial point... If I'm going to cache poison, I'm going to set
really really large TTLs on the bad records.

This is a defense in depth issue. DNSSEC doesn't solve everything. RPKI
doesn't solve everything. BCP 38 filtering doesn't solve everything. But
every hurdle we can put in front of the bad guys, every protection we
can put for at least some attacks is progress.

As long as these incremental steps aren't operationally fragile, it
makes sense. And current state of the art in software support for DNSSEC
is at least as mature as all sorts of other critical software we use
now.



More information about the dns-operations mailing list