|
|
|
|
|
|
by tptacek
747 days ago
|
|
|
I'm not sure you're following. An attacker who controls BGP controls, for some small (or large) section of the Internet, the meaning of IP addresses. No DNS validation gets you around that. LetsEncrypt does in fact do things to mitigate this attack, but they have nothing to do with DNSSEC: they do multi-perspective lookups, so you'd need Internet-wide routing control. |
|
|
With DNSSEC, somebody can reroute traffic all they like, they cannot generate fake DNS responses that are DNSSEC valid for DNSSEC secured victim domain. So if the CAA record is properly set to only allow the dns-01 validation method for ACME, there is simply no way to obtain a false certificate even if the attacker controls all of BGP.