[sdnog] ISC website hacked

[Nishal Goburdhan]

> On 30 Dec 2014, at 07:50, Tarig Yassin <tariq198487 at hotmail.com> wrote:
> 
> how we can know if the current page really belong to ISC ????

good question!  
are you doing DNSSEC validation for your DNS caches? 

remember that DNSSEC has two parts;  signing (which in this case would need to be done by ISC), and validation (which needs to be done by your local DNS resolver).
if ISC were signing their zone, then the answer you would have gotten in DNS, for the response to "what is the IP address of your website" would be signed, and that signature would be verifiable.  so, if you didn't get an error when trying to verify this signed address, then you know it's actually the IP address for ISC's website, right? 
fortunately, ISC _do_ sign their zone  ;-)   so you _do_ have a signature to validate against.  so that's a really good start, but are you actually doing this ?

fortunately, doing DNSSEC validation is very easy.  and not at related to you needing to sign your zones (which is a slightly longer process).  here is a link to a very easy to follow how-to:  https://dnssec.surfnet.nl/?p=402  if you use BIND or unbound.  it's something that you can turn on, without fear of it breaking your network.  google's 8.8.8.8 use it;  and, as i mentioned at the meeting, at least one ISP in sudan does this already  ;-)    so, step #1 to answer your question - start doing validation.  do it today! 

of course, all this means is that you are sure that the IP address that you receive in response to your DNS question is the right IP address.  if there is any MITM stuff that is actively intercepting HTTP (this is higher up the stack than DNS!) requests to isc.org, then simple DNSSEC validation won't help with that.  but something else, that i had mentioned at sdNOG-1 called DANE, will.  this is still mostly work in progress, but you can read more about it here:  http://datatracker.ietf.org/wg/dane/documents/

of course, you need to do validation first  :-)   

--n.