[163907] in North American Network Operators' Group
Re: Re: This is a coordinated hacking. (Was Re: Need help in flushing
daemon@ATHENA.MIT.EDU (Rubens Kuhl)
Thu Jun 20 20:29:15 2013
In-Reply-To: <CAFy81rnVv1c46Kz6FYRnizx0KYF4W0+yA7RipW7__tE_6yd9Qw@mail.gmail.com>
Date: Thu, 20 Jun 2013 21:29:06 -0300
From: Rubens Kuhl <rubensk@gmail.com>
To: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Thu, Jun 20, 2013 at 8:41 PM, Timothy Morizot <tmorizot@gmail.com> wrote:
> On Jun 20, 2013 5:31 PM, "Randy Bush" <randy@psg.com> wrote:
> > and dnssec did not save us. is there anything which could have?
>
> Hmmm. DNSSEC wouldn't have prevented an outage. But from everything I've
> seen reported, had the zones been signed, validating recursive resolvers
> (comcast, google, much of federal government, mine) would have returned
> servfail and would not have cached the bad nameservers in their good cache.
>
> Users would have simply failed to connect instead of being sent to the
> wrong page and recovery would have been quicker and easier. From my
> perspective as someone responsible for DNS at a fairly large enterprise,
> that would have been preferable.
>
> But then, the zones for which I'm responsible are signed.
>
In this case of registrar compromise, DS record could have been changed
alongside NS records, so DNSSEC would only have been a early warning,
because uncoordinated DS change disrupts service. As soon as previous
timeouts played out, new DS/NS pairs would be considered as trustworthy as
the old ones.
Rubens
