WingNews logo WingNews
top | item 47074536

(no title)

Ajedi32 | 11 days ago

DNS has always been a single-point-of-failure for TLS cert issuance. The threat is real, but not at all unique to this validation method.

(For example, an attacker with control of DNS could switch the A record to their server and use that to pass HTTP-01 or TLS-ALPN-01 validation, or update the _acme-challenge TXT record and use that to pass DNS-01.)

discuss

order

redleader55|10 days ago

While this is true, improvements in the TLS issuance process should also improve security. When the eventual deprecation of TLS-ALPN-01 and DNS-01 comes, this new method would be completely secure.

Here, the record could for example contain a signature from the same key pair used to authenticate the account. The alternative is DNSSEC, but that's avoided by a lot of domains.