A Deep Dive on the Recent Widespread DNS Hijacking

Hank Nussbacher hank at efes.iucc.ac.il
Mon Feb 25 06:03:50 UTC 2019

On 25/02/2019 07:20, Bill Woodcock wrote:
>> On Feb 24, 2019, at 7:41 PM, Montgomery, Douglas (Fed) <dougm at nist.gov> wrote:
>> In the 3rd attack noted below, do we know if the CA that issued the DV CERTS does DNSSEC validation on its DNS challenge queries?
> We know that neither Comodo nor Let's Encrypt were DNSSEC validating before issuing certs.  The Let’s Encrypt guys at least seemed interested in learning from their mistake.  Can’t say as much of Comodo.
>                                  -Bill


Did you have a CAA record defined and if not, why not?


More information about the NANOG mailing list