[cryptography] [OT]: SQL injection blamed for widespread DNS hack
johnl at iecc.com
Sun Sep 11 22:24:14 EDT 2011
>While PKI has many shortcomings, DigiNotar has shown the industry can
>effectively kill off a deficient CA. Are there any measures in place
>to keep a deficient registrar out of DNS? Or will NetNames still be
>serving up records with a promise to do better?
Interesting question. For registars for names managed by ICANN
(generic TLDs such as .com), there is a registrar accreditation
agreement which sets out minimum performance standards. But I just
read it and they seem to have forgotten to requires that the registrar
shall use adequate security to maintain registrant data. In any
event, ICANN is notoriously bad at enforcing any part of the registrar
agreement other than the part about getting paid.
For .UK domains, the Nominet registrar contract requires ("you" is the
You promise us that in respect of every Transaction request you make:
2.7.1. you have the authority of the Registrant to make that request
and (if applicable) enough authority from the registrant to fully
commit them to all the terms of the contract or obligations
connected with that request; ...
2.8. If you break any of the promises in clause 2.7 and we or our
staff (including contractors or agents) or directors later suffer
loss caused in whole or in part upon our reliance on those promises,
you will pay us back for those losses, including any damage to our
reputation, and the reasonable costs of any investigation,
litigation or settlement. If you are only partly responsible, you
would only have to pay your fair share.
So they're in breach of contract if they allow bogus transactions, but
I have no idea whether Nominet has ever tried to enforce that.
So the short answer to your question is "maybe". At least security
failures at registrars only screw up the info for their own customers,
as opposed to CA failures which can screw up the info for anyone.
More information about the cryptography