[dns-operations] FireEye reports long-running DNS hijacking campaign

[John Levine]

In article <B8FCE660-2F65-474E-8A6B-7BD59985A7A2 at pch.net> you write:
>Again, DNSSEC validation was the _only_ method that protected anyone in this attack.  Though of course DANE would have as well, had it
>been available.

How would DNSSEC help?  If they can break into the victim's registrar
account, they can change the DS record.

I agree DNSSEC would fix the #3 scenario where they're rewriting DNS
records in the middle somewhere, but not #1 and #2.

R's,
John