Hacker News new | ask | show | jobs
by throw0101d 85 days ago
> If bad actors can create valid tls certs they can solve the dnssec problem.

I think you have it backwards: by not running DNSSEC it can mean bad actors (at least a certain level) can MITM the DNS queries that are used to validate ACME certs.

It is now mandated that public CAs have to verify DNSSEC before issuing a cert:

* https://news.ycombinator.com/item?id=47392510

So if you want to reduce the risk of someone creating a fake cert for one of your properties, you want to protect your DNS responses.
1 comments
0x073 85 days ago
If you mean MITM between DNS Server and CA (e.g. letsencrypt), thats on a level of BGP hacking (means for me government involved) and means they can just use a CA (e.g. Fina CA 2025 with cloudflare).

I think the risk didn't change much (except for big corp/bank).

link
throw0101d 85 days ago
At one point (pre-HTTPS ubiquity) the NSA hacked (e.g.) Belgium telecoms via injecting malware into web response from (e.g.) Slashdot:

* https://thehackernews.com/2013/11/snowden-reveals-gchq-plant...

* https://www.aclu.org/documents/quantum-insert-diagrams

* https://en.wikipedia.org/wiki/Man-on-the-side_attack

Still state-level, but probably less noticeable than BGP hijacking.

Unless you're entering IP addresses in all your applications and code, non-SEC DNS is an unsecured link in the chain of communications.

link