Hacker News new | past | comments | ask | show | jobs | submit login

An attacker can send more than one packet, and likely make multiple attempts to 'verify' the domain under attack. If the attack window is 1 second, and an attacker can source 1 million (spoofed) packets per second, and the server is using the full space for source port and query ids, and there's a single resolver, the attacker can get a cert fraudulently issued about 1 out of 4000 times.

DNSSEC makes that much harder, so it's nice that their resolvers are using it.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact