The CAA record can also mandate use of DNS-01 (disallowing HTTP-01) ACME method, at least if LE has enabled that in production yet. Combined with DNSSEC, this makes it cryptographically impossible for a CA honoring the requirement to check CAA to issue a certificate to the attacker, unless the attacker has already managed to coerce a fraudulent DS record to be installed at some level of the DNS hierarchy.
↧
