> On Feb 24, 2019, at 10:03 PM, Hank Nussbacher <h...@efes.iucc.ac.il> wrote: > Did you have a CAA record defined and if not, why not?
It’s something we’d been planning to do but, ironically, we’d been in the
process of switching to Let’s Encrypt, and they were one of the two CAs whose
process vulnerabilities the attackers were exploiting. So, in this particular
case, it wouldn’t have helped.
I guess the combination of CAA with a very expensive, or very manual, CA, might
be an improvement. But it’s still a band-aid on a bankrupt system.
We need to get switched over to DANE as quickly as possible, and stop wasting
effort trying to keep the CA system alive with ever-hackier band-aids.
-Bill
signature.asc
Description: Message signed with OpenPGP
