A Deep Dive on the Recent Widespread DNS Hijacking

Hank Nussbacher hank at efes.iucc.ac.il
Mon Feb 25 13:16:23 UTC 2019

On 25/02/2019 11:37, Ask Bjørn Hansen wrote:
>> On Feb 24, 2019, at 22:03, Hank Nussbacher <hank at efes.iucc.ac.il> wrote:
>> Did you have a CAA record defined and if not, why not?
> If the attacker got a CA to issue the cert because they changed the DNS server to be their own, a CAA record wouldn’t have helped (or at least been even easier to thwart than DNSSEC).

Yes if an attacker pwned the DNS then game over no matter what. I go 
under the assumption that the attacker was not able to take over the DNS 
system but rather other things along the way, in which case CAA should 
be of some assistance.


> Ask

More information about the NANOG mailing list