Hacker News new | ask | show | jobs
by cyberax 92 days ago
It does solve it. Unless you know my private key, you can't fake the DNSSEC signatures. The linking DS records in the TLD are presumably out of your control and in future can be audited through something like Certificate Transparency logs.

So even if you fully control the network path, you will somehow have to get access to my private key material.
2 comments
gzread 92 days ago
Solves part of it. They still control your HTTP and can make LE issue a certificate for you. So actually solves nothing.

Unless you had a CAA record saying only LE certs from your account are valid. And maybe you want that record to be authenticated.

link
cyberax 92 days ago
Agreed. But I meant that in the world without LE but with DNSSEC+DANE this wouldn't be an issue.
link
akerl_ 92 days ago
The attacker did not fake any DNS records. They re-routed traffic to the legitimate IP addresses.
link