Comment by akerl_
8 hours ago
I don't see any indication that DNSSEC would have been relevant there? Their assessment was that that interception (and certificate issuance) were completed by redirecting traffic for the legitimate IPs to another destination. The DNS records continued to work as expected.
You requested:
> real world compromises of major sites that don't use DNSSEC?
Without any other changes to this infrastructure DNSSEC by itself wouldn't have prevented this, but it could have been combined with something else like a CAA record.
Sure. I guess by that logic this attack also could have been prevented by flossing, as long as you combined flossing with setting a CAA record.