[ksk-rollover] Any potential correlation between the roll over and the recent notice by the US Department of Homeland Security on DNS Cyber Attacks?
warren at kumari.net
Fri Jan 25 20:17:12 UTC 2019
On Fri, Jan 25, 2019 at 2:31 PM Lee Neubecker <
lee.neubecker at greatlakesforensics.com> wrote:
> I wanted to make sure you were all aware of several notices issued which
> came just before and after the root key change over for DNS. Bad actors
> with access to the older private key root (if compromised) may have been
> motivated to strike before the key change over.
> This alert went out the day before change over on January 10th, 2019.
Nope, these are unrelated -- the attacks above are simply attackers logging
into registrar / DNS provider accounts using the victims credentials
(either collected through phishing, brute-forcing, or, most likely because
the registrants used the same credentials elsewhere) and changing the
nameservers / address records to point at nameservers which they control.
This isn't a DNSSEC related attack at all -- if attackers had the old key
and could still use it they would use it inline, and not fiddle with other
> This alert on January 22nd, 2019 https://cyber.dhs.gov/ed/19-01/
> This alert was issued yesterday
> The timing of this change over taking place roughly 2+ weeks after the
> U.S. Government Shutdown is a little unfortunate, since the switch over
> date may have encouraged attacks before the old key was revoked. I do
> think the re-key is a good idea, and agree with Tony Finch on the concept
> "[I favour annual rollovers, with keys generated and promulgated out
> of band a few years in advance, and at most two KSKs in the root zone at
> any time.]"
> I welcome any comments.
We (currently, and until proven otherwise) don't believe that the old key
was compromised / factored -- rolling is simply good hygiene.
> Lee Neubecker, CISSP
> President & CEO
> 65 W. Jackson Blvd., Suite 101
> Chicago, IL 60604
> Toll Free/Fax: 888-503-0665
> Computer Forensics · Cyber Security Readiness & Response · Online Identity
> Check out my security blog at https://leeneubecker.com
> ksk-rollover mailing list
> ksk-rollover at icann.org
I don't think the execution is relevant when it was obviously a bad idea in
the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair of
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the ksk-rollover