Ken, On Wed, Apr 12, 2017 at 08:52:44PM +0100, Ken O'Driscoll wrote: > On Wed, 2017-04-12 at 11:50 -0700, Wei Chuang wrote: > > Hi dane folks, > > > > There recently was an article in Wired about how a banking site was > > domain hijacked: > > https://www.wired.com/2017/04/hackers-hijacked-banks-entire-online-operat > > ion/ > > via a DNS registry account hijacking. I was wondering if DNSSEC can > > protect against such hijackings (and thereby protect DANE records). > [...snip...] > > Hi Wei, > > My first post to this list! > > My understanding of that incident is that the attackers compromised the .br > registry and from there reassigned the nameservers, thus redirecting traffic > to their rogue server. >
No, please read the article and the corrections we've provided. The domain contact account had their listed email account compromised, a free email provider. With email access and no 2FA configured for this account on our system the attacker did a password reset. With access to the system did a regular delegation change. > DANE or indeed DNSSEC isn't intended to prevent that type of attack, where > the attacker has complete control of the domain name at a registry level, > including the ability to change NS records and delete DS records. > Essentially, in such cases the attacker follows the same procedure the > legitimate registrant would follow to disable DNSSEC while changing > nameservers. > Correct. If they had a DS the redelegation, done correctly, would be only a little bit harder but totally doable. Fred _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
