On Tue, Feb 26, 2019 at 1:58 AM Bill Woodcock <wo...@pch.net> wrote: > > > > On Feb 24, 2019, at 10:03 PM, Hank Nussbacher <h...@efes.iucc.ac.il> > wrote: > > Did you have a CAA record defined and if not, why not? > > It’s something we’d been planning to do but, ironically, we’d been in the > process of switching to Let’s Encrypt, and they were one of the two CAs > whose process vulnerabilities the attackers were exploiting. So, in this > particular case, it wouldn’t have helped. > > I guess the combination of CAA with a very expensive, or very manual, CA, > might be an improvement. But it’s still a band-aid on a bankrupt system. > > We need to get switched over to DANE as quickly as possible, and stop > wasting effort trying to keep the CA system alive with ever-hackier > band-aids. > > -Bill
DNS guy says the solution for insecure DNS is... wait for it.... more DNS ... > >