On Jun 20, 2013 7:30 PM, "Rubens Kuhl" <rubensk@gmail.com> wrote:
In this case of registrar compromise, DS record could have been changed alongside NS records, so DNSSEC would only have been a early warning, because uncoordinated DS change disrupts service. As soon as previous timeouts played out, new DS/NS pairs would be considered as trustworthy as the old ones.
Since DS records typically have a ttl of 24 hours, that protection should not be underestimated even in the case of registrar compromise. However, everything released so far indicates this was a netsol error and not a compromise. And it was an error corrected fairly quickly from what I can tell. The impact was prolonged because the bad nameservers were cached in resolvers across the Internet. Of course, very few details have actually been released, so that construction could be wrong. But even in the worst case DNSSEC would have provided some mitigation for a time.