[cjbprime]

> 1. I would get a proper SSL cert signed

Uh, how? Are you assuming that a single BGP leak would be enough to cause e.g. a letsencrypt misissuance for the domain? It sounds like (from other comments) they have a global round-robin resolver setup for their DNS challenges.

> 2. Only hijack one of the ranges, and do not respond to other domains (causing SERVFAIL), so other domains will resolve unaffected

I think exactly that's what they did. I saw people posting SERVFAILs during the outage.

[zyberzero]

They do, and they don't. They have a round robin setup, for which resolver that validates the DNS challenge - however, they do not validate the DNS challenges from several resolvers[1]. So, if that particular resolver got caught in the BGP leak while doing a challenge verification you could get a valid cert. Lots of ifs and buts - but it is certainly possible.

[1] https://news.ycombinator.com/item?id=16918382

[geoah]

> I think exactly that's what they did. I saw people posting SERVFAILs during the outage.

Author is suggesting they should be properly resolving the rest of the domains so they wouldn't cause SERVFAILs.

[baby]

> they have a global round-robin resolver setup for their DNS challenges

no they don't