A Deep Dive on the Recent Widespread DNS Hijacking

[woody at pch.net (Bill Woodcock)]

> On Feb 26, 2019, at 1:34 PM, James Renken via NANOG <nanog at nanog.org> wrote:
> 
> On Feb 25, 2019, at 5:20 AM, Bill Woodcock <woody at pch.net> wrote:
>> We know that neither Comodo nor Let's Encrypt were DNSSEC validating before issuing certs.
> 
> Iâ??d like to clarify that Letâ??s Encrypt has always validated DNSSEC, dating to before we issued our first publicly trusted certificate in September 2015.

Yes, my apologiesâ?¦  Comodo may well have been used in the attack against us _because_ Letâ??s Encrypt was DNSSEC validating.  Iâ??m sorry for tarring both Letâ??s Encrypt and Comodo with the same brush.

The fact remains, however, that both Letâ??s Encrypt and Comodo are facilitating these hijacks by issuing illegitimate certificates to attackers.  So, ipso facto, both organizationsâ?? security practices are insufficient.

We had what I thought to be a productive call with Jacob Hoffman-Andrews, of Letâ??s Encrypt, late last week, and arrived at a couple of possibilities for improving the situation a bit, but I donâ??t imagine that PCH has the expertise to contribute substantively to CA business process improvements, as thatâ??s well outside our field.

                                -Bill

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20190304/b6e2f64e/attachment.sig>