Marco,
On 10/10/13 12:07 PM, "Marco Davids (SIDN)" <[email protected]> wrote: >On 10/10/13 5:43 PM, Dan York wrote: > >> there's nothing that DNSSEC or anything else could have done here > >Not entirely true. Some form of domain-locking might have helped. For >instance, we offer a protection-service, called .nl-control, where we >actually block any automated change until a few recognized >representatives have given explicit permission, both orally and in >writing. You're right. I should have been more clear. There's nothing I can think of that DNSSEC or any other *technology* related to the operations of the DNS could really do, i.e. there's nothing that the *network* could really do. My initial thought on seeing the title of the link was... "oh, hey, maybe this is a hijack that could have been prevented with DNSSEC - let me take a look!" Only to find that it was a (sadly "regular", it seems) compromise at the registrar. You're absolutely right that the *registrars* can do more to ensure that these kind of changes don't get made without the appropriate authorization. >But, having said that, I am still quite concerned about this relatively >new trend. I'm afraid it won't stop here. No, I suspect it won't. :-( It goes back to the attackers finding the weakest link - ex. http://xkcd.com/538/ - and the ever present balance between user convenience and security. I understand the dilemma - a registrar wants to make it relatively easy for a user to do a legitimate automatic password reset should the account password be lost so that they aren't calling the registrar's help desk. On the other hand, you don't want to make it easy enough that problems like this occur. Dan -- Dan York Senior Content Strategist, Internet Society [email protected] <mailto:[email protected]> +1-802-735-1624 Jabber: [email protected] <mailto:[email protected]> Skype: danyork http://twitter.com/danyork http://www.internetsociety.org/deploy360/ _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
