Comment by dsr_
3 years ago
Right. If you control the DNS, you can point names at any IP address and get appropriate certs for them. Therefore, you must protect your DNS infrastructure.
3 years ago
Right. If you control the DNS, you can point names at any IP address and get appropriate certs for them. Therefore, you must protect your DNS infrastructure.
Isn't the need to protect your DNS infrastructure pretty obvious anyways even when ignoring certificate validation?
Besides, if I can change your DNS, I can change your HTTP responses as well. So control over DNS already lets me get a lets-encrypt cert for you anyway. Though it is slightly easier to notice if someone changes your DNS to point to a different server than if someone adds a TXT record. I say slightly because if I change your DNS to point at my server I can just proxy requests to your old server so everything still looks like it works.
Heck, even with most other certificate issuers I can get a cert in similar ways when controlling DNS.
How often do one monitor their zone files and its updates?
Would you be able to catch new subdomains being created under your watch?
Obvious, but tend to be missed on small deployments.