[163908] in North American Network Operators' Group
Re: Re: This is a coordinated hacking. (Was Re: Need help in flushing
daemon@ATHENA.MIT.EDU (Timothy Morizot)
Thu Jun 20 20:44:51 2013
In-Reply-To: <CAGFn2k2O-SmSJsxxzaYK35ETKfD30CKc=t6mVHjS--mMR3eOsQ@mail.gmail.com>
Date: Thu, 20 Jun 2013 19:44:30 -0500
From: Timothy Morizot <tmorizot@gmail.com>
To: Rubens Kuhl <rubensk@gmail.com>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jun 20, 2013 7:30 PM, "Rubens Kuhl" <rubensk@gmail.com> wrote:
> In this case of registrar compromise, DS record could have been changed
> alongside NS records, so DNSSEC would only have been a early warning,
> because uncoordinated DS change disrupts service. As soon as previous
> timeouts played out, new DS/NS pairs would be considered as trustworthy as
> the old ones.
Since DS records typically have a ttl of 24 hours, that protection should
not be underestimated even in the case of registrar compromise.
However, everything released so far indicates this was a netsol error and
not a compromise. And it was an error corrected fairly quickly from what I
can tell. The impact was prolonged because the bad nameservers were cached
in resolvers across the Internet.
Of course, very few details have actually been released, so that
construction could be wrong. But even in the worst case DNSSEC would have
provided some mitigation for a time.
