On 03:11 13/04, John Levine wrote: > > If my suspicion is correct, has there > >been thought of re-signing the DS record signed with the older private key > >in a way that proves ownership through the key change? > > This sounds to me like shutting the barn door after the horse is gone. > > If it's important to you that your domain isn't hijacked, we all know > what to do, pick a registrar with good security and 2FA and so forth, > and monitor your own DNS with alarms if there are unauthorized changes. > > Also, if we were to invent some sort of change signing, now you have > the other problem where the guy with the private key quits and takes > it with him, and you have to rebootstrap the zone somehow.
Agree. But anyway, we have two indicators of something is wrong, from DNSSEC perspective. Even the hijacker deletes the DS and the zone goes insecure, or change it for a new one and the zone goes bogus for some hours, just like a bad made rollover. Maybe the bank could indicate somehow that it's zone should never go insecure/bogus, just like a website owner can signal with HSTS that it'll never go plain. Hugo
signature.asc
Description: PGP signature
_______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
