On Feb 25, 2019, at 1:16 PM, Hank Nussbacher <h...@efes.iucc.ac.il> wrote: > Yes if an attacker pwned the DNS then game over no matter what. I go > under the assumption that the attacker was not able to take over the DNS > system but rather other things along the way, in which case CAA should > be of some assistance.
I’m excited about a proposed CAA extension (https://tools.ietf.org/html/draft-ietf-acme-caa-06) that would allow domain owners to restrict issuance to a particular ACME account and a particular validation method. This could provide stronger protection against most attacks short of a registry or registrar hijack. It’s implemented in Let’s Encrypt's staging environment, and I hope it’s able to move forward. -- James Renken (pronouns: he/him) Internet Security Research Group Let's Encrypt: A Free, Automated, and Open CA
