Today's attack on @myetherwallet (via BGP hijack of AWS name servers) proves beyond doubt that everyone should implement DNSSEC and HSTS asap!
DNSSEC = resolvers would deny fake records
HSTS = browsers would prevent users burning themselves from self-signed certs.
And what about the other 100+ organizations capable of issuing publicly-trusted certificates? There is no requirement to validate DNSSEC when doing domain validation.
-
-
I believe there's a requirement to consider DNSSEC in the checking of the CAA records (including for non-existence of any CAA record of relevance) in the presence of the DS anchors. SERVFAIL return on CAA record query blocks further validation.
-
Requirement is a strong word. CAs implemented it incorrectly and browsers wouldn't enforce.
- 2 more replies
New conversation -
-
-
Maybe it should. That was one of the issues raised on http://mozilla.dev.security .policy when CAA checking became mandatory. How CA should behave on DNSSEC failure: treat CAA as non-existent and just move on of deny issuance.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.