On 26 February 2013 19:45, Tony Finch <d...@dotat.at> wrote: > Vernon Schryver <v...@rhyolite.com> wrote: >> > From: Tony Finch <d...@dotat.at> >> > >> > In addition to vjs's points, note that DNSSEC makes theft of a domain >> > even more visible because it is likely to cause horrible breakage for >> > validating users. >> >> I didn't mention those alarms, because I assumed the domain was >> stolen at the registrar or in the registry so that glue and DS >> records would be corrected by the adversary. > > I assumed that too :-) It's a common problem (see Educause recently...) > > The problem occurs because it is likely for caches to contain different > parts of the validation chain (DS from parent, DNSKEYs and RRSIGs from > child) from before and after the hack.
What if you add your server to the delegation, and either leave one of their servers in the list or clone their zone and host that on a separate server? Resolvers with the old keys cached will only take answers from the old servers. Resolvers that have refreshed and got the new keys will only take answers from the new servers. This gives you a 'transition period' where you can't attack everyone yet, but you should be able to selectively attack the ones that have the new key set without causing any disruption to ones that don't. Does that idea sound viable? I would like to pre-empt anyone calling this a flaw with DNSSEC though as DNSSEC is not meant to protect against someone who can submit new keys for your domain. - Mike _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
