A Deep Dive on the Recent Widespread DNS Hijacking

[cb.list6 at gmail.com (Ca By)]

On Tue, Feb 26, 2019 at 1:58 AM Bill Woodcock <woody at pch.net> wrote:

>
>
> > On Feb 24, 2019, at 10:03 PM, Hank Nussbacher <hank at efes.iucc.ac.il>
> wrote:
> > Did you have a CAA record defined and if not, why not?
>
> Itâ??s something weâ??d been planning to do but, ironically, weâ??d been in the
> process of switching to Letâ??s Encrypt, and they were one of the two CAs
> whose process vulnerabilities the attackers were exploiting.  So, in this
> particular case, it wouldnâ??t have helped.
>
> I guess the combination of CAA with a very expensive, or very manual, CA,
> might be an improvement.  But itâ??s still a band-aid on a bankrupt system.
>
> We need to get switched over to DANE as quickly as possible, and stop
> wasting effort trying to keep the CA system alive with ever-hackier
> band-aids.
>
>                                 -Bill



DNS guy says the solution for insecure DNS is... wait for it.... more DNS
...



>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20190226/eb834085/attachment.html>