Preventing a attacker with DNS control from issueing certificates


I have always wondered what steps I could take from preventing an attacker who has gained DNS control from being able to issue DV certificates for the domain.


make sure you’re using 2 step authentication with your domain registrar or dns provider :slight_smile:

edit: if you’re worried about loss of access to your mobile and on Android check out Authenticator Plus which allows you to sync your code profiles to other mobile and tablet devices

I have my 2 step profiles for my registered services synced across 2 mobile phones (Android) and 2 Android Tablets. So anyone of those devices will give me my 2 step codes when I need them.


Already do that, still far away from a secure solution.


If someone has control of your DNS and wants to issue a cert for your domain, then they will have likely re-directed your domain to their server, they will also most likely have had to have hacked your email during all this.

Your going to notice something is wrong sooner rather than later (or you better check for a pulse!).

If your truly paranoid, do regular DNS queries to check what goes where…


3.99 EUR app. could be to much for some people… Authy-2-Factor Authentication is a valid option, too and It’s a FREE app. with desktop support though chromeApps. and nearly same features for Android devices (just no ‘Kindle’ support). Hope this helps, too!


I don’t think there’s a comprehensive industry-standard response to this problem. You can use CAA, but that also goes via the DNS so the attacker can remove the policy.

It’s possible that Let’s Encrypt or another part of the DV industry could invent some parallel mechanism to CAA that’s more durable or out-of-band, but this hasn’t happened yet.

For Let’s Encrypt in particular, if you get a cert from us or someone else at the outset and start using it, we won’t issue an additional cert while we know that one is valid and in use unless you can show cryptographically that you control that cert or the Let’s Encrypt account that requested it. That policy doesn’t necessarily apply to other DV CAs’ issuance.

The big challenge is that for DV, the DNS records are basically considered the ground truth about the meaning of names.

Split "Issuance and Renwal" into Policy and Technical categories

What about DNSEC?
If you correctly apply this and Let’s Encrypt checks it (don’t know if that is the case) the attacker would have to control TLD root cert.