Hacker News new | ask | show | jobs
by Parodper 1 day ago
And if they don't, DNS is already a database. You could just query domains to check their certificates. People running recursive DNS servers could double-check certificates.
1 comments
toast0 1 day ago
If the DNS takeover is limited in scope, the legitimate owner wouldn't be able to query it.

CT addresses scoped attacks by making all webpki trusted certificates public knowledge. You would want something similar with DANE.

link