On Sun, Apr 11, 2021 at 03:34:06PM +0100, Ben Laurie wrote:
> What I mean is that the authorities for DNS get compromised far more often
> than CAs do.
But any compromise of a registrant, registrar or registry also
compromises CA certificate issuance. The CAs are redundant so
long as the attestation they're performing is "domain control".
> Also, DNS has the same plethora of authorities with varying
> security responsibility.
Choose a security-conscious registrar, and apply registrar lock, and any
other available/applicable options to prevent unauthorised changes to
domain registration metadata.
--
Viktor.
