alt Hacker NewsAnd if they don't, DNS is already a database. You could just query domains to check their certificates. People running recursive DNS servers could double-check certificates.
And if they don't, DNS is already a database. You could just query domains to check their certificates. People running recursive DNS servers could double-check certificates.
If the DNS takeover is limited in scope, the legitimate owner wouldn't be able to query it.
CT addresses scoped attacks by making all webpki trusted certificates public knowledge. You would want something similar with DANE.