"If an attacker has full control over your DNS" Shouldn't this be "over the CAs ... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		slasaus on Nov 21, 2014 \| parent \| context \| favorite \| on: Let's Encrypt: How It Works "If an attacker has full control over your DNS" Shouldn't this be "over the CAs DNS resolver"? /edit well I guess if the attacker has control over your dns server, ofcours, but another vector is to spoof as the CAs resolver when the CA does a lookup for your domain.

pfg on Nov 21, 2014 [–]

Control of any name server used by the CA to resolve your hostname would be enough. That could be either the CAs DNS, any resolver in between (e.g. something like Google's Public DNS, which hopefully no real CA is using) or the authoritative name server of the domain. That is, unless you use DNSSEC.

Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact