[dns-operations] Spoofing DNS with fragments
Stephane Bortzmeyer
bortzmeyer at nic.fr
Tue Sep 11 09:13:52 UTC 2018
On Mon, Sep 10, 2018 at 10:49:25PM +0200,
bert hubert <bert.hubert at powerdns.com> wrote
a message of 22 lines which said:
> it likely is possible to do under at least somewhat real life
> conditions.
Idea for a researcher with some time and budget: try to find out how
many CA use a validating DNS resolver (my guess is:
zero). Methodology: register a domain with broken DNSSEC (like
servfail.nl) and try to get a certificate for it.
Note that as long as one CA does not validate, DNSSEC is not a
sufficient defense, you need DANE as well (otherwise the attacker will
go to another CA).
More information about the dns-operations
mailing list