On 04/12/2017 11:50 AM, Wei Chuang wrote:
Hi dane folks,
There recently was an article in Wired about how a banking site was
domain hijacked:
https://www.wired.com/2017/04/hackers-hijacked-banks-entire-online-operation/
via a DNS registry account hijacking. I was wondering if DNSSEC can
protect against such hijackings (and thereby protect DANE records). My
suspicion is no, DNSSEC can't protect against an attack at the registry
level since a hijacker could publish a new set of consistent records for
the zone including at the parent. If my suspicion is correct, has there
been thought of re-signing the DS record signed with the older private
key in a way that proves ownership through the key change? This gets
published at the parent so its visible even if the entire zone gets
spoofed. This, put another way, would prove publicly continuity of
ownership for the domain.
thanks,
-Wei
I had thought of this sort of scenario as well.
You can script to watch your DS records and alert you if they ever are
not suppose to be, but I hope there is a future where certificate
authorities are replaced by trust anchors independent of the root DNS
that can behave as a DS record 2FA.
e.g. to create new KSK that DNSSEC would validate, the attacker would
not only have to fool the registry into uploading new DS records but
also fool the secondary trust anchor that duplicates the DS records.
Unfortunately that also opens up DoS attack if an attacker is not able
to change the actual DS records but is able to fool the secondary
validator of the DS records.
That's DNSSEC issue though, not DANE.
Even if banks use DANE (and I wish they would) they also should have EV
certificates to currently defend against that type thing.
_______________________________________________
dane mailing list
dane@ietf.org
https://www.ietf.org/mailman/listinfo/dane
