Subject: Re: A Deep Dive on the Recent Widespread DNS Hijacking Date: Mon, Feb 25, 2019 at 05:04:39PM +1100 Quoting Mark Andrews (marka@isc.org):
I would also note that a organisation can deploy RFC 5011 for their own zones and have their own equipment use DNSKEYs managed using RFC 5011 for their own zones. This isolates the organisation’s equipment from the parent zone’s management practices.
I would also note that you can configure validating resolvers to expect secure responses for parts of the namespace and to reject insecure responses even when they validate as insecure.
One thing that immediately struck me upon reading the Krebs post was that people got owned by having to downgrade the end-to-end model of the Internet into Proxy-land. A hotel wifi. Probably only challenged by "Free Wifi" in other spaces in its ability to demolish the Internet as thought out and envisioned. We can conclude in two different directions here; * We need to work on making the Internet more transparent to applications, and thus increasing security. * We're all doomed anyway. DNSSEC is useless. Pick whichever you like. Our children will judge us. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE SA0XLR +46 705 989668 My EARS are GONE!!