On Wed, 2017-04-12 at 11:50 -0700, Wei Chuang wrote: > Hi dane folks, > > There recently was an article in Wired about how a banking site was > domain hijacked: > https://www.wired.com/2017/04/hackers-hijacked-banks-entire-online-operat > ion/ > via a DNS registry account hijacking. I was wondering if DNSSEC can > protect against such hijackings (and thereby protect DANE records). [...snip...]
Hi Wei, My first post to this list! My understanding of that incident is that the attackers compromised the .br registry and from there reassigned the nameservers, thus redirecting traffic to their rogue server. DANE or indeed DNSSEC isn't intended to prevent that type of attack, where the attacker has complete control of the domain name at a registry level, including the ability to change NS records and delete DS records. Essentially, in such cases the attacker follows the same procedure the legitimate registrant would follow to disable DNSSEC while changing nameservers. There are other technologies and strategies available to mitigate the risk of such attacks, but if the registry is compromised then DNSSEC etc. can just be disabled so any scheme involving re-signing DS records can be overcome. Ken. -- Ken O'Driscoll / We Monitor Email t: +353 1 254 9400 | w: www.wemonitoremail.com _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
