[armada651]

Then it sounds like a misconfiguration after all? Because that would mean they didn't configure CAA for their CDN.

In any case they could've hijacked the IP for the authorative DNS server, but that would at least add some complexity.

Also, this assumes their CA actually did their due diligence and the hackers didn't just fool them into reissuing the certificate to them.

[ianpurton]

I think the CDN has to configure CAA.

So if your site pulls in js from another site without sub resource integrity, and the other site doesn't have CAA configured you are vulnerable.

[NovemberWhiskey]

It's not enough for everyone involved to have CAA enabled. They need to have CAA enabled and to select a certificate authority that does effective domain ownership validation, which - as the article suggests - means (at minimum) multiple-origin checking of network-based challenge protocols like HTTP-01.

Personally, I think anyone who has a heightened attack risk ought to contemplate a CA that does some form of more thorough validation.