[dns-operations] FireEye reports long-running DNS hijacking campaign

Viktor Dukhovni ietf-dane at dukhovni.org
Sat Jan 12 22:33:35 UTC 2019

> On Jan 12, 2019, at 4:40 PM, Bill Woodcock <woody at pch.net> wrote:
> It sounds like there are three parallel efforts underway: one to update
> the iOS security handbook, a second to get DNSSEC client validation
> integrated, and a third to try to move DANE forward.
> Anything any of you can do to continue to encourage them would be great.

DANE adoption for MTAs is moving along nicely, stats updated daily at:


Out of ~8.8 million working DNSSEC domains surveyed, ~9.5% (~834 thousand)
have DANE TLSA records for their MX hosts.  A couple of problem areas

1.  A handful of MTA operators publish TLSA records that they then don't
    bother or know how to keep up to date.  These break after key or cert
    rollover.  There are ~300 such domains, with a partial list at:


    While adoption is still light, operators of broken systems don't notice
    the problem, if they're mostly receiving email from non-DANE senders.
    So the problems would fester, discouraging further adoption.  Hence the
    DANE survey, with a primary purpose of keeping the ecosystem in good
    health, until adoption is high enough for problems to be readily

    I don't know whether anything similar would be needed to bootstrap DANE
    outside the MTA-to-MTA space.  If adoption ramps up sufficiently quickly,
    then perhaps not.  But if adoption builds up gradually up over 5 or more
    years, then there's a risk of bad data dominating the ecosystem, and
    thwarting further adoption.

2.  Authentication denial of existence is still broken for some domains
    at a number of DNS hosting providers.  The top 20 by domain count are:

  50 dotserv.com
  36 tiscomhosting.nl
  35 metaregistrar.nl
  31 nrdns.nl
  30 sylconia.net
  24 active24.cz	- mostly wildcard CNAME loops
  21 nazwa.pl		- mostly wildcard NS
  15 movenext.nl
  13 host-redirect.com
  11 is.nl
  10 blauwblaatje.nl
   9 vultr.com
   9 army.mil		- mostly TLSA non-response
   7 openprovider.nl
   7 forpsi.net
   7 dnscluster.nl
   6 netcon.nl
   6 mijnhostingpartner.nl
   6 loopia.se
   6 cloudflare.com

   It would be good to have most of these addressed.

3.  DS record enrollment, and KSK rollover are still too hard.
    More registries need to get their act together and support

4.  Nameserver software for end-user zones (BIND, NSD, ...)
    should not only support automated zone signing, but should
    also support automatic ZSK generation and rollover.  And
    automatic support for CDS and KSK rollover when supported
    by the parent domain.  For SOHO users, DNSSEC should be
    no harder than operating an unsigned zone.

5.  Better monitoring tools would be great.  If even arin.net
    can fail to notice impending signature expiration, we're
    not providing sufficiently operator-friendly software.


More information about the dns-operations mailing list