> On Feb 24, 2019, at 9:20 PM, Bill Woodcock <wo...@pch.net> wrote: > > > >> On Feb 24, 2019, at 7:41 PM, Montgomery, Douglas (Fed) <do...@nist.gov> >> wrote: >> In the 3rd attack noted below, do we know if the CA that issued the DV CERTS >> does DNSSEC validation on its DNS challenge queries? > > We know that neither Comodo nor Let's Encrypt were DNSSEC validating before > issuing certs. The Let’s Encrypt guys at least seemed interested in learning > from their mistake. Can’t say as much of Comodo.
Sorry, a correction:
Apparently Let’s Encrypt _does_ do a DNSSEC validation check, and presumably
that’s why a Comodo cert was used to attack us. It was my prior understanding
that Let’s Encrypt certs had been used against DNSSEC-signed zones, but
apparently that was not the case.
My apologies for my confusion. Nonetheless, even with the DNSSEC validation,
there’s a problem here that needs to be solved, on both the parts of the CAs
involved and the registry/registrar chain.
-Bill
signature.asc
Description: Message signed with OpenPGP
