Re: [CPWG] [technical-issues] Cyberspies Hijacked the Internet Domains of Entire Countries
Hi Olivier Why isn’t this something that ALAC should take up? Holly
On Apr 20, 2019, at 3:30 AM, Olivier MJ Crépin-Leblond <ocl@gih.com> wrote:
Dear colleagues,
I have just read an article on Wired that speaks of mass scale cyber attacks on the DNS: https://www.wired.com/story/sea-turtle-dns-hijacking/ <https://www.wired.com/story/sea-turtle-dns-hijacking/>
This looks very serious indeed. Furthermore, it appears to be happening on domains that are not DNSSEC enabled/signed. And of course, this is a known vulnerability. But one thing that has somehow shocked me was that one of the way to avoid this was using a "Registry Lock" which many Registries were unwilling to implement.
Is it time to (a) ask SSAC what this is all about and (b) get the ICANN Board to mandate an essential security implementation before the whole DNS falls apart for lack of trust? Or is this article way too alarmist? My big concern at the moment is that if I was a Government representative, I'd ask "who runs this DNS?" and upon being told it's ICANN, I'd think that ICANN is incompetent in making the DNS safe from attack. As a result -> DNS is a critical resource -> get it run by countries rather than this incompetent organisation. (a lose-lose for all of us)
Kindest regards,
Olivier _______________________________________________ Technical-issues mailing list Technical-issues@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/technical-issues
There's no denying the potential end user impact. Marita On 4/20/2019 4:24 AM, Holly Raiche wrote:
Hi Olivier
Why isn’t this something that ALAC should take up?
Holly
On Apr 20, 2019, at 3:30 AM, Olivier MJ Crépin-Leblond <ocl@gih.com <mailto:ocl@gih.com>> wrote:
Dear colleagues,
I have just read an article on Wired that speaks of mass scale cyber attacks on the DNS: https://www.wired.com/story/sea-turtle-dns-hijacking/
This looks very serious indeed. Furthermore, it appears to be happening on domains that are not DNSSEC enabled/signed. And of course, this is a known vulnerability. But one thing that has somehow shocked me was that one of the way to avoid this was using a "Registry Lock" which many Registries were unwilling to implement.
Is it time to (a) ask SSAC what this is all about and (b) get the ICANN Board to mandate an essential security implementation before the whole DNS falls apart for lack of trust? Or is this article way too alarmist? My big concern at the moment is that if I was a Government representative, I'd ask "who runs this DNS?" and upon being told it's ICANN, I'd think that ICANN is incompetent in making the DNS safe from attack. As a result -> DNS is a critical resource -> get it run by countries rather than this incompetent organisation. (a lose-lose for all of us)
Kindest regards,
Olivier _______________________________________________ Technical-issues mailing list Technical-issues@atlarge-lists.icann.org <mailto:Technical-issues@atlarge-lists.icann.org> https://atlarge-lists.icann.org/mailman/listinfo/technical-issues
_______________________________________________ CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg
Yes, it is an issue that concerns the domain name User. ALAC could initiate the necessary steps on what needs to be done by ICANN. You mentioned "a "Registry Lock" which many Registries were unwilling to implement." As a domain registrant, I am familiar with a Domain Lock, by whatever name it is called, that the Registrant chooses to lock or unlock, but most registrants don't frequently login into the Domain Control panel, or even once. This lock needs to be set by default to "lock", I am not sure if the domain name is locked when registered, by all Registrars across the DNS space. If the "Registry lock" or the "Registrar Lock" https://en.wikipedia.org/wiki/Registrar-Lock is different from the lock that is available to the Registrant, then ALAC could examine this with the required technical advice to examine if it may recommend that all Registries and Registrars could implement and lock it by default, even if this leads to a slight delay in the domain transfer process. Sivasubramanian M <https://www.facebook.com/sivasubramanian.muthusamy> twitter.com/shivaindia On Wed, Apr 24, 2019 at 3:59 PM Marita Moll <mmoll@ca.inter.net> wrote:
There's no denying the potential end user impact.
Marita On 4/20/2019 4:24 AM, Holly Raiche wrote:
Hi Olivier
Why isn’t this something that ALAC should take up?
Holly
On Apr 20, 2019, at 3:30 AM, Olivier MJ Crépin-Leblond <ocl@gih.com> wrote:
Dear colleagues,
I have just read an article on Wired that speaks of mass scale cyber attacks on the DNS: https://www.wired.com/story/sea-turtle-dns-hijacking/
This looks very serious indeed. Furthermore, it appears to be happening on domains that are not DNSSEC enabled/signed. And of course, this is a known vulnerability. But one thing that has somehow shocked me was that one of the way to avoid this was using a "Registry Lock" which many Registries were unwilling to implement.
Is it time to (a) ask SSAC what this is all about and (b) get the ICANN Board to mandate an essential security implementation before the whole DNS falls apart for lack of trust? Or is this article way too alarmist? My big concern at the moment is that if I was a Government representative, I'd ask "who runs this DNS?" and upon being told it's ICANN, I'd think that ICANN is incompetent in making the DNS safe from attack. As a result -> DNS is a critical resource -> get it run by countries rather than this incompetent organisation. (a lose-lose for all of us)
Kindest regards,
Olivier _______________________________________________ Technical-issues mailing list Technical-issues@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/technical-issues
_______________________________________________ CPWG mailing listCPWG@icann.orghttps://mm.icann.org/mailman/listinfo/cpwg
_______________________________________________ CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg _______________________________________________ registration-issues-wg mailing list registration-issues-wg@atlarge-lists.icann.org https://mm.icann.org/mailman/listinfo/registration-issues-wg
Wasn't subscribed with this email address, subscribed now, and posting it again. If there is a duplication, apologies. On Wed, Apr 24, 2019 at 4:18 PM sivasubramanian muthusamy < 6.internet@gmail.com> wrote:
Yes, it is an issue that concerns the domain name User. ALAC could initiate the necessary steps on what needs to be done by ICANN.
You mentioned "a "Registry Lock" which many Registries were unwilling to implement." As a domain registrant, I am familiar with a Domain Lock, by whatever name it is called, that the Registrant chooses to lock or unlock, but most registrants don't frequently login into the Domain Control panel, or even once. This lock needs to be set by default to "lock", I am not sure if the domain name is locked when registered, by all Registrars across the DNS space.
If the "Registry lock" or the "Registrar Lock" https://en.wikipedia.org/wiki/Registrar-Lock is different from the lock that is available to the Registrant, then ALAC could examine this with the required technical advice to examine if it may recommend that all Registries and Registrars could implement and lock it by default, even if this leads to a slight delay in the domain transfer process.
Sivasubramanian M <https://www.facebook.com/sivasubramanian.muthusamy> twitter.com/shivaindia
On Wed, Apr 24, 2019 at 3:59 PM Marita Moll <mmoll@ca.inter.net> wrote:
There's no denying the potential end user impact.
Marita On 4/20/2019 4:24 AM, Holly Raiche wrote:
Hi Olivier
Why isn’t this something that ALAC should take up?
Holly
On Apr 20, 2019, at 3:30 AM, Olivier MJ Crépin-Leblond <ocl@gih.com> wrote:
Dear colleagues,
I have just read an article on Wired that speaks of mass scale cyber attacks on the DNS: https://www.wired.com/story/sea-turtle-dns-hijacking/
This looks very serious indeed. Furthermore, it appears to be happening on domains that are not DNSSEC enabled/signed. And of course, this is a known vulnerability. But one thing that has somehow shocked me was that one of the way to avoid this was using a "Registry Lock" which many Registries were unwilling to implement.
Is it time to (a) ask SSAC what this is all about and (b) get the ICANN Board to mandate an essential security implementation before the whole DNS falls apart for lack of trust? Or is this article way too alarmist? My big concern at the moment is that if I was a Government representative, I'd ask "who runs this DNS?" and upon being told it's ICANN, I'd think that ICANN is incompetent in making the DNS safe from attack. As a result -> DNS is a critical resource -> get it run by countries rather than this incompetent organisation. (a lose-lose for all of us)
Kindest regards,
Olivier _______________________________________________ Technical-issues mailing list Technical-issues@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/technical-issues
_______________________________________________ CPWG mailing listCPWG@icann.orghttps://mm.icann.org/mailman/listinfo/cpwg
_______________________________________________ CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg _______________________________________________ registration-issues-wg mailing list registration-issues-wg@atlarge-lists.icann.org https://mm.icann.org/mailman/listinfo/registration-issues-wg
Dear Holly, I am not saying it shouldn't. Just asking an open question. BTW as CPWG is now CC'ed to this, Michele Neylon informed us that the Wired article was alarmist and a more accurate coverage of the incident would be the Register article: https://www.theregister.co.uk/2019/04/17/sea_turtle_dns/ Registry lock is probably the feature that should be enabled by default. Kindest regards, Olivier On 20/04/2019 04:24, Holly Raiche wrote:
Hi Olivier
Why isn’t this something that ALAC should take up?
Holly
On Apr 20, 2019, at 3:30 AM, Olivier MJ Crépin-Leblond <ocl@gih.com <mailto:ocl@gih.com>> wrote:
Dear colleagues,
I have just read an article on Wired that speaks of mass scale cyber attacks on the DNS: https://www.wired.com/story/sea-turtle-dns-hijacking/
This looks very serious indeed. Furthermore, it appears to be happening on domains that are not DNSSEC enabled/signed. And of course, this is a known vulnerability. But one thing that has somehow shocked me was that one of the way to avoid this was using a "Registry Lock" which many Registries were unwilling to implement.
Is it time to (a) ask SSAC what this is all about and (b) get the ICANN Board to mandate an essential security implementation before the whole DNS falls apart for lack of trust? Or is this article way too alarmist? My big concern at the moment is that if I was a Government representative, I'd ask "who runs this DNS?" and upon being told it's ICANN, I'd think that ICANN is incompetent in making the DNS safe from attack. As a result -> DNS is a critical resource -> get it run by countries rather than this incompetent organisation. (a lose-lose for all of us)
Kindest regards,
Olivier _______________________________________________ Technical-issues mailing list Technical-issues@atlarge-lists.icann.org <mailto:Technical-issues@atlarge-lists.icann.org> https://atlarge-lists.icann.org/mailman/listinfo/technical-issues
Thank you Olivier for the links. I did not read it yet, but I agree that this has direct impact on end users and certainly on top of their interests. Kindest Regards Hadia ________________________________ From: CPWG <cpwg-bounces@icann.org> on behalf of Olivier MJ Crépin-Leblond <ocl@gih.com> Sent: 20 April 2019 09:25 To: Holly Raiche Cc: Technical issues; CPWG Subject: Re: [CPWG] [technical-issues] Cyberspies Hijacked the Internet Domains of Entire Countries Dear Holly, I am not saying it shouldn't. Just asking an open question. BTW as CPWG is now CC'ed to this, Michele Neylon informed us that the Wired article was alarmist and a more accurate coverage of the incident would be the Register article: https://www.theregister.co.uk/2019/04/17/sea_turtle_dns/ Registry lock is probably the feature that should be enabled by default. Kindest regards, Olivier On 20/04/2019 04:24, Holly Raiche wrote: Hi Olivier Why isn't this something that ALAC should take up? Holly On Apr 20, 2019, at 3:30 AM, Olivier MJ Crépin-Leblond <ocl@gih.com<mailto:ocl@gih.com>> wrote: Dear colleagues, I have just read an article on Wired that speaks of mass scale cyber attacks on the DNS: https://www.wired.com/story/sea-turtle-dns-hijacking/ This looks very serious indeed. Furthermore, it appears to be happening on domains that are not DNSSEC enabled/signed. And of course, this is a known vulnerability. But one thing that has somehow shocked me was that one of the way to avoid this was using a "Registry Lock" which many Registries were unwilling to implement. Is it time to (a) ask SSAC what this is all about and (b) get the ICANN Board to mandate an essential security implementation before the whole DNS falls apart for lack of trust? Or is this article way too alarmist? My big concern at the moment is that if I was a Government representative, I'd ask "who runs this DNS?" and upon being told it's ICANN, I'd think that ICANN is incompetent in making the DNS safe from attack. As a result -> DNS is a critical resource -> get it run by countries rather than this incompetent organisation. (a lose-lose for all of us) Kindest regards, Olivier _______________________________________________ Technical-issues mailing list Technical-issues@atlarge-lists.icann.org<mailto:Technical-issues@atlarge-lists.icann.org> https://atlarge-lists.icann.org/mailman/listinfo/technical-issues
participants (5)
-
Hadia Abdelsalam Mokhtar EL miniawi -
Holly Raiche -
Marita Moll -
Olivier MJ Crépin-Leblond -
sivasubramanian muthusamy