[Servercert-wg] [EXTERNAL] Update definition of IP Address Contact in the BRs
Dimitris Zacharopoulos (HARICA)
dzacharo at harica.gr
Thu Feb 4 12:16:37 UTC 2021
On 4/2/2021 1:21 μ.μ., Paul van Brouwershaven wrote:
> While that was not the intention, we might want to reconsider this.
>
> I just checked a few domains in the Cisco Umbrella 1 Million and many
> of them show the same problem.
>
> But if we accept that an external DNS operator can be trusted, it
> might not be an issue.
I believe external DNS operators can be trusted. This has been
established in previous discussions of the Validation Subcommittee and
F2F meetings.
Dimitris.
>
> The difference is that for other methods a provider needs to add or
> change DNS records, but for the SOA contact they can use an email
> address that is already in place.
> ------------------------------------------------------------------------
> *From:* Dimitris Zacharopoulos (HARICA) <dzacharo at harica.gr>
> *Sent:* Thursday, February 4, 2021 11:49
> *To:* CA/B Forum Server Certificate WG Public Discussion List
> <servercert-wg at cabforum.org>; Paul van Brouwershaven
> <Paul.vanBrouwershaven at entrust.com>
> *Subject:* Re: [Servercert-wg] [EXTERNAL] Update definition of IP
> Address Contact in the BRs
>
>
> On 4/2/2021 12:28 μ.μ., Dimitris Zacharopoulos (HARICA) via
> Servercert-wg wrote:
>>
>>
>> On 4/2/2021 10:31 π.μ., Paul van Brouwershaven wrote:
>>> The problem is that many DNS providers default this value to an
>>> address of their own.
>>>
>>> Where many in-addr.arpa zones are probably operated by range owner
>>> in some automated system, some smaller ranges might be delegated to
>>> a DNS provider. There are for example almost 3000 zones hosted on
>>> AWS Route 53, some sampling showed that many have the address
>>> 'awsdns-hostmaster at amazon.com <mailto:awsdns-hostmaster at amazon.com>'
>>> in the SOA record.
>>>
>
> In addition to my earlier comment, Paul, your comment appears to
> question an existing requirement for Forward Lookup Domain Name
> queries. Was your intention to challenge an existing requirement for
> the Domain Contact definition?
>
>
> Thanks,
> Dimitris.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20210204/5a48858f/attachment.html>
More information about the Servercert-wg
mailing list