0

Say a citizen-run journalist site is a target of a hostile government. The site is hosted over HTTPS in a different country, outside the government's reach. However, the site domain name is within the country's top level domain.

I think the most likely route for the hostile government is to take over the DNS record, intercept ACME and simply replace the infrastructure with their own, without the users necessarily noticing, after which slow-paced censorship can start taking place.

What is the most likely sequence of steps the hostile government will perform to take over the DNS record?

  • no DNSSEC enabled
  • DNSSEC enabled

Does the usage of DNSSEC make the take-over easier or more difficult?

anon2328
  • 121
  • 1
  • 5
  • 2
    replacing the infrastructure and changing content is probably the least likely path. (too much work for them) If they don't like a particular news outlet, they'd just ban it and make sure only their own approved sources are available inside their country. – browsermator Jan 25 '24 at 18:43
  • valid point, but the question is about this specific case that can arise in practice - the question really is about the technical aspects of domain takeover – anon2328 Jan 25 '24 at 21:08
  • If the hostile government controls the TLD of the domain name, then the hostile government can take-over the domain, and point the domain name to their own DNS servers. At that point, they can get a valid certificate for the domain (using ACME or plain old domain validation), and host whatever content they want on a web server at that domain. DNSSEC won't help in this scenario. See https://moxie.org/2011/04/11/ssl-and-the-future-of-authenticity.html for some interesting reading on this subject. – mti2935 Jan 25 '24 at 22:25
  • Yeah, if DNSSEC is used, sounds like it'd be necessary to regenerate some keys down the tree. – anon2328 Jan 26 '24 at 16:01

0 Answers0