On Sun, Oct 16, 2016 at 03:51:27AM +0100, Hugo Landau wrote:
> I've updated my ACME-CAA draft to add the 'acme-methods' parameter:
> http://hlandau.github.io/draft-landau-acme-caa/

Security considerations might mention that not all methods are equally
secure under DNSSEC (I didn't see this mentioned):

E.g. HTTP-01 can be falsely passed by hijacking connections to the
addresses obtained from the DNS, and DNSSEC can't protect against this,
while the same kind of attack won't work against DNS-01 (since all
data comes from DNS, and thus DNSSEC can verify it).


Acme mailing list

Reply via email to