|
|
|
|
|
|
by tptacek
573 days ago
|
|
|
Misissuance from direct DNS spoofing basically never happens. When the DNS is used to misissue a certificate, what has normally happened is a registrar account has been phished. Direct DNS spoofing is an exotic attack. Further: DNSSEC has only a partial fix for it, and the WebPKI has non-DNS-dependent mitigations (most obviously CT, but also multi-perspective DNS lookup, which is apparently going to be a BR next year). Generally speaking, setting up DNSSEC is probably a bad move for most sites. |
|
|