Fortunately, it was mitigated before Let's Encrypt was publicly trusted.. http://www.ietf.org/mail-archive/web/acme/current/msg00611.h...

To be clear, the challenge types in question where removed from Let's Encrypt production config during the private beta period (when we had a strict whitelist of domains allowed to be issued for), had mitigations for them in while they were out, and we deleted the code for them entirely the other day (in https://github.com/letsencrypt/boulder/pull/1247 )

Wait, what good is a signature then if you can craft it? I may have misunderstood, would appreciate a dumbed down answer.

A signature is good in this use case:

1) You have a public key you trust.

2) You get a message + hash + signature. You want to verify.

What we had here is:

1) There is a DNS record with a signature value only.

2) You send the public key + the message, and want to get the same signature value.

This isn't secure, as per the article.