alt Hacker News"Otherwise any MitM can easily redirect users to a phishing resource."
Yes, but with nowadays https/tls usage it's almost irrelevant for normal websites.
If bad actors can create valid tls certs they can solve the dnssec problem.
"Otherwise any MitM can easily redirect users to a phishing resource."
Yes, but with nowadays https/tls usage it's almost irrelevant for normal websites.
If bad actors can create valid tls certs they can solve the dnssec problem.
> If bad actors can create valid tls certs they can solve the dnssec problem.
I think you have it backwards: by not running DNSSEC it can mean bad actors (at least a certain level) can MITM the DNS queries that are used to validate ACME certs.
It is now mandated that public CAs have to verify DNSSEC before issuing a cert:
* https://news.ycombinator.com/item?id=47392510
So if you want to reduce the risk of someone creating a fake cert for one of your properties, you want to protect your DNS responses.