[dns-operations] FireEye reports long-running DNS hijacking campaign
ietf-dane at dukhovni.org
Sat Jan 12 22:33:35 UTC 2019
> On Jan 12, 2019, at 4:40 PM, Bill Woodcock <woody at pch.net> wrote:
> It sounds like there are three parallel efforts underway: one to update
> the iOS security handbook, a second to get DNSSEC client validation
> integrated, and a third to try to move DANE forward.
> Anything any of you can do to continue to encourage them would be great.
DANE adoption for MTAs is moving along nicely, stats updated daily at:
Out of ~8.8 million working DNSSEC domains surveyed, ~9.5% (~834 thousand)
have DANE TLSA records for their MX hosts. A couple of problem areas
1. A handful of MTA operators publish TLSA records that they then don't
bother or know how to keep up to date. These break after key or cert
rollover. There are ~300 such domains, with a partial list at:
While adoption is still light, operators of broken systems don't notice
the problem, if they're mostly receiving email from non-DANE senders.
So the problems would fester, discouraging further adoption. Hence the
DANE survey, with a primary purpose of keeping the ecosystem in good
health, until adoption is high enough for problems to be readily
I don't know whether anything similar would be needed to bootstrap DANE
outside the MTA-to-MTA space. If adoption ramps up sufficiently quickly,
then perhaps not. But if adoption builds up gradually up over 5 or more
years, then there's a risk of bad data dominating the ecosystem, and
thwarting further adoption.
2. Authentication denial of existence is still broken for some domains
at a number of DNS hosting providers. The top 20 by domain count are:
24 active24.cz - mostly wildcard CNAME loops
21 nazwa.pl - mostly wildcard NS
9 army.mil - mostly TLSA non-response
It would be good to have most of these addressed.
3. DS record enrollment, and KSK rollover are still too hard.
More registries need to get their act together and support
4. Nameserver software for end-user zones (BIND, NSD, ...)
should not only support automated zone signing, but should
also support automatic ZSK generation and rollover. And
automatic support for CDS and KSK rollover when supported
by the parent domain. For SOHO users, DNSSEC should be
no harder than operating an unsigned zone.
5. Better monitoring tools would be great. If even arin.net
can fail to notice impending signature expiration, we're
not providing sufficiently operator-friendly software.
More information about the dns-operations