On Fri, Oct 10, 2025 at 10:47:53AM -0700, Benjamin Kaduk wrote: > - I may have missed something key, but in the scenario where the DNS zone > gets compromised an attacker can introduce a very-long-lived persistent > validation, we need to consider what bounds the length of that validation > and whether/how the rightful domain owner can invalidate that validation. > I.e., just removing the fraudulent record may not suffice and we may need > a way to "cancel" a previous validation, or a protocol-level cap on the > duration of time for which a validation record is valid.
Deleting the record (which someone with zone control can do) cancels the validation, no matter how long-lived the validation is? The only thing I know that would behave anything like that is setting very long DNS TTL. And bad records with very long TTL are not a new problem: For example, records with long TTL pointing to hijacked nameservers. Resolvers can cap the DNS TTL. AFAIK, Let's Encrypt caps the TTL to 1 minute. -Ilari _______________________________________________ Acme mailing list -- [email protected] To unsubscribe send an email to [email protected]
