[ksk-rollover] Any potential correlation between the roll over and the recent notice by the US Department of Homeland Security on DNS Cyber Attacks?

Warren Kumari warren at kumari.net
Fri Jan 25 20:17:12 UTC 2019

On Fri, Jan 25, 2019 at 2:31 PM Lee Neubecker <
lee.neubecker at greatlakesforensics.com> wrote:

> I wanted to make sure you were all aware of several notices issued which
> came just before and after the root key change over for DNS. Bad actors
> with access to the older private key root (if compromised) may have been
> motivated to strike before the key change over.
> https://www.cyberscoop.com/dhs-dns-directive-government-shutdown/
> This alert went out the day before change over on January 10th, 2019.
> https://www.us-cert.gov/ncas/current-activity/2019/01/10/DNS-Infrastructure-Hijacking-Campaign

Nope, these are unrelated -- the attacks above are simply attackers logging
into registrar / DNS provider accounts using the victims credentials
(either collected through phishing, brute-forcing, or, most likely because
the registrants used the same credentials elsewhere) and changing the
nameservers / address records to point at nameservers which they control.
This isn't a DNSSEC related attack at all -- if attackers had the old key
and could still use it they would use it inline, and not fiddle with other

> This alert on January 22nd, 2019 https://cyber.dhs.gov/ed/19-01/
> This alert was issued yesterday
> https://www.us-cert.gov/ncas/alerts/AA19-024A
> The timing of this change over taking place roughly 2+ weeks after the
> U.S. Government Shutdown is a little unfortunate, since the switch over
> date may have encouraged attacks before the old key was revoked.  I do
> think the re-key is a good idea, and agree with Tony Finch on the concept
> of
> "[I favour annual rollovers, with keys generated and promulgated out
> of band a few years in advance, and at most two KSKs in the root zone at
> any time.]"
> I welcome any comments.
We (currently, and until proven otherwise) don't believe that the old key
was compromised / factored -- rolling is simply good hygiene.

> Lee Neubecker, CISSP
> President & CEO
> GreatLakesForensics.com
> 65 W. Jackson Blvd., Suite 101
> Chicago, IL  60604
> Toll Free/Fax: 888-503-0665
> https://greatlakesforensics.com
> Computer Forensics · Cyber Security Readiness & Response · Online Identity
> Investigations
> Check out my security blog at https://leeneubecker.com
> _______________________________________________
> ksk-rollover mailing list
> ksk-rollover at icann.org
> https://mm.icann.org/mailman/listinfo/ksk-rollover

I don't think the execution is relevant when it was obviously a bad idea in
the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair of
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20190125/a987c2b1/attachment.html>

More information about the ksk-rollover mailing list