[sdnog] ISC website hacked

Hiba Eltigani higba6 at gmail.com
Tue Dec 30 17:39:21 SAST 2014 

Domainkey is new for me :) but I think each one of the others works in
different aspect. DNSSEC for records authentication, Https for content and
information protection and SPF to protect against spoofing in emails.
On Dec 30, 2014 2:35 PM, "Tarig Yassin" <tariq198487 at hotmail.com> wrote:

> very valuable information indeed, We haven't implemented yet :)
>
> i am still confused, we have a lot of techniques: DNSSEC, HTTPS,
> Domainkey, and SPF.
>
> I do not know which one is better for this case (authenticate the site).
>
> > Subject: Re: [sdnog] ISC website hacked
> > From: nishal at controlfreak.co.za
> > Date: Tue, 30 Dec 2014 13:13:02 +0200
> > CC: sdnog at sdnog.sd
> > To: tariq198487 at hotmail.com
> >
> >
> > > On 30 Dec 2014, at 07:50, Tarig Yassin <tariq198487 at hotmail.com>
> wrote:
> > >
> > > how we can know if the current page really belong to ISC ????
> >
> > good question!
> > are you doing DNSSEC validation for your DNS caches?
> >
> > remember that DNSSEC has two parts; signing (which in this case would
> need to be done by ISC), and validation (which needs to be done by your
> local DNS resolver).
> > if ISC were signing their zone, then the answer you would have gotten in
> DNS, for the response to "what is the IP address of your website" would be
> signed, and that signature would be verifiable. so, if you didn't get an
> error when trying to verify this signed address, then you know it's
> actually the IP address for ISC's website, right?
> > fortunately, ISC _do_ sign their zone ;-) so you _do_ have a signature
> to validate against. so that's a really good start, but are you actually
> doing this ?
> >
> > fortunately, doing DNSSEC validation is very easy. and not at related to
> you needing to sign your zones (which is a slightly longer process). here
> is a link to a very easy to follow how-to:
> https://dnssec.surfnet.nl/?p=402 if you use BIND or unbound. it's
> something that you can turn on, without fear of it breaking your network.
> google's 8.8.8.8 use it; and, as i mentioned at the meeting, at least one
> ISP in sudan does this already ;-) so, step #1 to answer your question -
> start doing validation. do it today!
> >
> > of course, all this means is that you are sure that the IP address that
> you receive in response to your DNS question is the right IP address. if
> there is any MITM stuff that is actively intercepting HTTP (this is higher
> up the stack than DNS!) requests to isc.org, then simple DNSSEC
> validation won't help with that. but something else, that i had mentioned
> at sdNOG-1 called DANE, will. this is still mostly work in progress, but
> you can read more about it here:
> http://datatracker.ietf.org/wg/dane/documents/
> >
> > of course, you need to do validation first :-)
> >
> > --n.
>
> _______________________________________________
> Sdnog mailing list
> Sdnog at sdnog.sd
> http://lists.sdnog.sd/mailman/listinfo/sdnog
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sdnog.sd/pipermail/sdnog/attachments/20141230/375b11f4/attachment.html>

More information about the sdnog mailing list