On Fri, Apr 11, 2014 at 10:32:31AM +1000, Mark Andrews wrote:
No quite the same. A CA could issue a cert without any checking
for any domain. Here you need to be the registrar of record to add
records to the registry. Also a registry can only add records for
the namespace it manages not any arbitary name.
So to get a bad DS added you need to be a corrupt registry or a
corrupt employee of registry or you need to compromise the registrants
credentials or you need to succeed in transfering the zone to you.
Or you have to be the corrupt registry operator or an employee for the
registry operator (i.e., Verisign for the .com domain)....
- Ted