25 Feb
2019
25 Feb
'19
8:16 a.m.
On 25/02/2019 11:37, Ask Bjørn Hansen wrote:
On Feb 24, 2019, at 22:03, Hank Nussbacher <hank@efes.iucc.ac.il> wrote:
Did you have a CAA record defined and if not, why not? If the attacker got a CA to issue the cert because they changed the DNS server to be their own, a CAA record wouldn’t have helped (or at least been even easier to thwart than DNSSEC).
Yes if an attacker pwned the DNS then game over no matter what. I go under the assumption that the attacker was not able to take over the DNS system but rather other things along the way, in which case CAA should be of some assistance. -Hank
Ask