Hacker News new | past | comments | ask | show | jobs | submit login

DNS takeover is a huge issue, but some kinds of mitigation like Registry Lock (as opposed to Registrar Lock aka clientTransferProhibited) also seem to be fairly inherently pricey. It requires multiple actual humans involved, like for .com having the right person actually pick up the phone at the registrar and get in touch with Verisign. Cloudflare offers it for example, but only for their enterprise class Custom Domain Protection [1] service, which they explicitly describe as "high touch" or "very manual", since the whole point is that it's a fully offline/out-of-band communication requirement.

In principle it seems to me that there could be a "per-incident" price model that would more accessible to more general DNS users who setup their core domain DNS and touch it once a decade, where a flat upfront $200 payment (spit balling) enables Registry Lock and two uses, after which the fee must be paid again for more. The idea here is that you'd directly be paying the $100/hour or whatever it costs a couple of engineers to take time for this each time, on the logic you'd be using it very infrequently. This would avoid ongoing subscription costs which might be easier to justify for non-enterprises, while still being feasible for a registrar. I don't know of anyone who does this though.

A lot I think ultimately really does come down to the registry itself and their specific security practices, as well as fundamental tensions between stopping alterations by unauthorized people while enabling recovery by authorized-but-forgot-password-or-token-broke-or[...]-people. Supporting hardware factors for example is great, but if support can just override them that's a hole. Conversely there needs to be some fallback procedure for if a token breaks (maybe a super long key written down and put in a vault, maybe based on payment information). Some methods can be real footguns too, my current registrar for example offers IP address/range restriction options, but it's not hard to see how that could come back around to bite you in the butt in an emergency if not used quite carefully. It's one of many tough problems due to the ongoing primitive state of electronic authentication I guess.

Edit to add: useful direct quote on Register vs Registry Lock from their initial enterprise-only CloudFlare registrar launch [2]:

>"Many registrars support Registrar Lock, which prevents the registry from altering information unless the lock is explicitly removed. The problem is, if an attacker compromises your registrar account, they can unlock it and make whatever changes they want."

>"Registry Lock prevents changes by any registrar until the lock is removed. Unlocking at the registry level requires out-of-band communication between the registrar and Verisign (the global registry operator for several top-level domains), and is thus very manual. Since most registrars are volume operations, it’s very difficult to find one that takes the time to literally pick up the phone and call Verisign every time someone makes a change to their DNS settings."

So yeah I'm sure that stops attackers real well, but not exactly scalable. "[I]f you’re an organization where losing your domains would be a front-page story..." indeed!

----

1: https://www.cloudflare.com/products/registrar/custom-domain-...

2: https://blog.cloudflare.com/introducing-cloudflare-registrar...




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: