[Servercert-wg] [EXTERNAL] Update definition of IP Address Contact in the BRs

[Paul van Brouwershaven]

While that was not the intention, we might want to reconsider this.

I just checked a few domains in the Cisco Umbrella 1 Million and many of them show the same problem.

But if we accept that an external DNS operator can be trusted, it might not be an issue.

The difference is that for other methods a provider needs to add or change DNS records, but for the SOA contact they can use an email address that is already in place.
________________________________
From: Dimitris Zacharopoulos (HARICA) <dzacharo at harica.gr>
Sent: Thursday, February 4, 2021 11:49
To: CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org>; Paul van Brouwershaven <Paul.vanBrouwershaven at entrust.com>
Subject: Re: [Servercert-wg] [EXTERNAL] Update definition of IP Address Contact in the BRs



On 4/2/2021 12:28 μ.μ., Dimitris Zacharopoulos (HARICA) via Servercert-wg wrote:


On 4/2/2021 10:31 π.μ., Paul van Brouwershaven wrote:
The problem is that many DNS providers default this value to an address of their own.

Where many in-addr.arpa zones are probably operated by range owner in some automated system, some smaller ranges might be delegated to a DNS provider. There are for example almost 3000 zones hosted on AWS Route 53, some sampling showed that many have the address 'awsdns-hostmaster at amazon.com<mailto:awsdns-hostmaster at amazon.com>' in the SOA record.


In addition to my earlier comment, Paul, your comment appears to question an existing requirement for Forward Lookup Domain Name queries. Was your intention to challenge an existing requirement for the Domain Contact definition?


Thanks,
Dimitris.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20210204/3fb64931/attachment-0001.html>