> If bad actors can create valid tls certs they can solve the dnssec problem. I think yo...

throw0101d • today at 1:07 PM • 1 reply • view on HN

> If bad actors can create valid tls certs they can solve the dnssec problem.

I think you have it backwards: by not running DNSSEC it can mean bad actors (at least a certain level) can MITM the DNS queries that are used to validate ACME certs.

It is now mandated that public CAs have to verify DNSSEC before issuing a cert:

* https://news.ycombinator.com/item?id=47392510

So if you want to reduce the risk of someone creating a fake cert for one of your properties, you want to protect your DNS responses.

Replies

0x073 • today at 4:09 PM

If you mean MITM between DNS Server and CA (e.g. letsencrypt), thats on a level of BGP hacking (means for me government involved) and means they can just use a CA (e.g. Fina CA 2025 with cloudflare).

I think the risk didn't change much (except for big corp/bank).

➕ show 1 reply

alt Hacker News

Replies