← Back to context

Comment by Avamander

3 years ago

DNSSEC operators can be strong-armed the same way. You will also lose out on transparency logs.

In the end law enforcement can also walk up to the machine/hypervisor and steal/monitor interesting things from that as well. This is funnily the exact evil maid threat scenario so many (especially Linux people) find unrealistic.

you could run your own dnssec servers (not too hard). and monitor the DS records for your domain at the TLD. have there been any reported cases of law enforcement changing DNSSEC (e.g. adding a DS record)?

i agree there's probably no way to keep a machine hosted at a company secure from law enforcement. also why i suggested storage and anything in ram on the machine can be considered compromised. this attack (swapping out network connection for a while to get a certificate through let's encrypt) was probably easiest/least intrusive. if it wasn't an option, the next easiest option would be taken. perhaps the options that are harder to execute are more likely to be detected, or less likely to be worthwhile.

  • > have there been any reported cases of law enforcement changing DNSSEC (e.g. adding a DS record)?

    It's not like anybody is watching or using DNSSEC like that. Also at best you might be able to detect a change but it won't prevent the attack and neither will it leave a long-term mark like CT would.

  • >keep a machine hosted at a company secure from law enforcement

    Your own hardware + continuous video monitoring is probably good enough. The idea is not to keep it secure, but to know when a breach has happened.

> DNSSEC operators can be strong-armed the same way. You will also lose out on transparency logs.

Kepping DNS registry, CA, and hosting in different jurisdictions could be a noticeable improvement...