[dns-operations] BGP Hijack of Amazon DNS

Jimmy Hess mysidia at gmail.com
Sat Apr 28 02:35:46 UTC 2018


On Fri, Apr 27, 2018 at 6:34 PM, Randy Bush <randy at psg.com> wrote:
>> I’m surprised they didn’t just use ACME to get a real certificate.
> didn't seem to need to

Yet another thing that could be prevented by having DNSSEC fully implemented
with the signed zone (containing a CAA record blocking new certificate
issuance);
providing the ACME certificate authorities are each are using
validating resolvers
to check for CAA records and not issuing certificates until validated
that either
no CAA record exists,  or  one of the CAA listed allows the request.

> _______________________________________________
> dns-operations mailing list
--
-JH




More information about the dns-operations mailing list