|
|
|
|
|
|
by phicoh
750 days ago
|
|
|
It seems you miss something, maybe because you don't consider DNSSEC as something that gets actual use. With DNSSEC, somebody can reroute traffic all they like, they cannot generate fake DNS responses that are DNSSEC valid for DNSSEC secured victim domain. So if the CAA record is properly set to only allow the dns-01 validation method for ACME, there is simply no way to obtain a false certificate even if the attacker controls all of BGP. |
|
|