On Sun, Apr 11, 2021 at 03:34:06PM +0100, Ben Laurie wrote: > What I mean is that the authorities for DNS get compromised far more often > than CAs do. But any compromise of a registrant, registrar or registry also compromises CA certificate issuance. The CAs are redundant so long as the attestation they're performing is "domain control". > Also, DNS has the same plethora of authorities with varying > security responsibility. Choose a security-conscious registrar, and apply registrar lock, and any other available/applicable options to prevent unauthorised changes to domain registration metadata. -- Viktor.