[dns-operations] FireEye reports long-running DNS hijacking campaign

John Levine johnl at taugh.com
Sat Jan 12 20:13:33 UTC 2019

In article <B8FCE660-2F65-474E-8A6B-7BD59985A7A2 at pch.net> you write:
>Again, DNSSEC validation was the _only_ method that protected anyone in this attack.  Though of course DANE would have as well, had it
>been available.

How would DNSSEC help?  If they can break into the victim's registrar
account, they can change the DS record.

I agree DNSSEC would fix the #3 scenario where they're rewriting DNS
records in the middle somewhere, but not #1 and #2.


More information about the dns-operations mailing list