[dns-operations] Spoofing DNS with fragments

Stephane Bortzmeyer bortzmeyer at nic.fr
Tue Sep 11 09:13:52 UTC 2018

On Mon, Sep 10, 2018 at 10:49:25PM +0200,
 bert hubert <bert.hubert at powerdns.com> wrote 
 a message of 22 lines which said:

> it likely is possible to do under at least somewhat real life
> conditions.

Idea for a researcher with some time and budget: try to find out how
many CA use a validating DNS resolver (my guess is:
zero). Methodology: register a domain with broken DNSSEC (like
servfail.nl) and try to get a certificate for it.

Note that as long as one CA does not validate, DNSSEC is not a
sufficient defense, you need DANE as well (otherwise the attacker will
go to another CA).

More information about the dns-operations mailing list