Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> An attacker should not gain the ability to > persistently issue certificates because they > have one-time access to DNS.

They wouldn't. As soon as the owner of the domain removes the TXT entry that ability would be gone.






Of course - but that requires the owner to know they were attacked, know the attacker added a TXT verification, potentially overcome fear of deleting it breaking something unexpected, etc.

If the owner does not find out that someone got control of their DNS server, the attacker can do anything with the domain anyhow. Including issuing certs.

Yes, but once that access is revoked, that is enough to be certain that the attacker can no longer issue certs. With your proposal, I would then have to audit my TXT records and delete only attacker-created records.

(Which in general would be a good practise anyway, because many services do use domain validation processes similar to what you propose)




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: