Microsoft deems all DigiNotar certificates untrustworthy, releases

fredrik danerklint fredan-nanog at
Mon Sep 12 09:46:04 UTC 2011

> > How about a TXT record with the CN string of the CA cert subject in it?
> > If it exists and there's a conflict, don't trust it.  Seems simple
> > enough to implement without too much collateral damage.
> Needs to be a DNSSEC-validated TXT record, or you've opened yourself up
> to attacks via DNS poisoning (either insert a malicious TXT that matches
> your malicious certificate, or insert a malicious TXT that intentionally
> *doesn't* match the vicitm's certificate)....

And how do you validate the dnssec to make sure that noone has tampered with 


More information about the NANOG mailing list