[Servercert-wg] Update definition of IP Address Contact in the BRs

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Thu Feb 4 16:17:23 UTC 2021



On 4/2/2021 5:49 μ.μ., Ryan Sleevi wrote:
>
>
> On Thu, Feb 4, 2021 at 2:24 AM Dimitris Zacharopoulos (HARICA) via 
> Servercert-wg <servercert-wg at cabforum.org 
> <mailto:servercert-wg at cabforum.org>> wrote:
>
>     I would like to propose an amendment to the definition "IP Address
>     Contact". Following the example of a "Domain Contact", for
>     consistency we should allow a CA to use the DNS SOA record as IP
>     Address Contact information.
>
>     Current definition:
>
>     /*IP Address Contact*//: The person(s) or entity(ies) registered
>     with an IP Address Registration Authority as having the right to
>     control how one or more IP Addresses are used./
>
>     Proposed new definition:
>     /
>     //*IP Address Contact*//: The person(s) or entity(ies) registered
>     with an IP Address Registration Authorityor in a DNS SOA record as
>     having the right to control how one or more IP Addresses are used./
>
>     Are there any objections or concerns with this proposal?
>
>
> Yes.
>
> IP Addresses do not have DNS SOA records. What you're proposing 
> doesn't make sense (as specified).

Well, the idea was to do a Reverse lookup

For example, search for 93.184.216.34.

dig 34.216.184.93.in-addr.arpa

; <<>> DiG 9.11.3-1ubuntu1.13-Ubuntu <<>> 34.216.184.93.in-addr.arpa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 23163
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;34.216.184.93.in-addr.arpa.    IN      A

;; AUTHORITY SECTION:
216.184.93.in-addr.arpa. 520    IN      SOA     ns1.edgecastcdn.net. 
*noc.edgecast.com*. 1589310095 3600 600 604800 600

;; Query time: 76 msec
;; SERVER: 192.168.10.254#53(192.168.10.254)
;; WHEN: Thu Feb 04 18:10:02 EET 2021
;; MSG SIZE  rcvd: 126

would allow a CA to send an email to noc at edgecast.com using method 
3.2.2.5.2, similarly as it would work for 3.2.2.4.2.


>
> It's also not clear to me the motivation of why. I'm hoping you can 
> elaborate if there are more concrete arguments in favor other than 
> "for consistency". For example, an explanation of use cases that are 
> otherwise unmet without this change, particularly since it'll require 
> careful language to ensure it does what I believe you're trying to do, 
> but which is not yet specified to do so :)

I consider this a secure method of contacting the entity that 
controls/owns the IP address space, just as the SOA can be used for 
forward Domain Name lookups as part of 3.2.2.4.2.

I hope this helps. Is this what you believe I was trying to do? I must 
agree about the "as specified" comment, it probably needs some language 
skills to describe the reverse lookup for an IPv4 and IPv6.


Dimitris.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20210204/d9de7af6/attachment-0001.html>


More information about the Servercert-wg mailing list