On Feb 25, 2019, at 1:16 PM, Hank Nussbacher <hank@efes.iucc.ac.il> wrote:
Yes if an attacker pwned the DNS then game over no matter what. I go under the assumption that the attacker was not able to take over the DNS system but rather other things along the way, in which case CAA should be of some assistance.
I’m excited about a proposed CAA extension (https://tools.ietf.org/html/draft-ietf-acme-caa-06) that would allow domain owners to restrict issuance to a particular ACME account and a particular validation method. This could provide stronger protection against most attacks short of a registry or registrar hijack. It’s implemented in Let’s Encrypt's staging environment, and I hope it’s able to move forward. -- James Renken (pronouns: he/him) Internet Security Research Group Let's Encrypt: A Free, Automated, and Open CA