A Deep Dive on the Recent Widespread DNS Hijacking
hank at efes.iucc.ac.il
Mon Feb 25 13:16:23 UTC 2019
On 25/02/2019 11:37, Ask Bjørn Hansen wrote:
>> On Feb 24, 2019, at 22:03, Hank Nussbacher <hank at efes.iucc.ac.il> wrote:
>> Did you have a CAA record defined and if not, why not?
> If the attacker got a CA to issue the cert because they changed the DNS server to be their own, a CAA record wouldn’t have helped (or at least been even easier to thwart than DNSSEC).
Yes if an attacker pwned the DNS then game over no matter what. I go
under the assumption that the attacker was not able to take over the DNS
system but rather other things along the way, in which case CAA should
be of some assistance.
More information about the NANOG