[Servercert-wg] Update definition of IP Address Contact in the BRs
Dimitris Zacharopoulos (HARICA)
dzacharo at harica.gr
Thu Feb 4 16:17:23 UTC 2021
On 4/2/2021 5:49 μ.μ., Ryan Sleevi wrote:
>
>
> On Thu, Feb 4, 2021 at 2:24 AM Dimitris Zacharopoulos (HARICA) via
> Servercert-wg <servercert-wg at cabforum.org
> <mailto:servercert-wg at cabforum.org>> wrote:
>
> I would like to propose an amendment to the definition "IP Address
> Contact". Following the example of a "Domain Contact", for
> consistency we should allow a CA to use the DNS SOA record as IP
> Address Contact information.
>
> Current definition:
>
> /*IP Address Contact*//: The person(s) or entity(ies) registered
> with an IP Address Registration Authority as having the right to
> control how one or more IP Addresses are used./
>
> Proposed new definition:
> /
> //*IP Address Contact*//: The person(s) or entity(ies) registered
> with an IP Address Registration Authorityor in a DNS SOA record as
> having the right to control how one or more IP Addresses are used./
>
> Are there any objections or concerns with this proposal?
>
>
> Yes.
>
> IP Addresses do not have DNS SOA records. What you're proposing
> doesn't make sense (as specified).
Well, the idea was to do a Reverse lookup
For example, search for 93.184.216.34.
dig 34.216.184.93.in-addr.arpa
; <<>> DiG 9.11.3-1ubuntu1.13-Ubuntu <<>> 34.216.184.93.in-addr.arpa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 23163
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;34.216.184.93.in-addr.arpa. IN A
;; AUTHORITY SECTION:
216.184.93.in-addr.arpa. 520 IN SOA ns1.edgecastcdn.net.
*noc.edgecast.com*. 1589310095 3600 600 604800 600
;; Query time: 76 msec
;; SERVER: 192.168.10.254#53(192.168.10.254)
;; WHEN: Thu Feb 04 18:10:02 EET 2021
;; MSG SIZE rcvd: 126
would allow a CA to send an email to noc at edgecast.com using method
3.2.2.5.2, similarly as it would work for 3.2.2.4.2.
>
> It's also not clear to me the motivation of why. I'm hoping you can
> elaborate if there are more concrete arguments in favor other than
> "for consistency". For example, an explanation of use cases that are
> otherwise unmet without this change, particularly since it'll require
> careful language to ensure it does what I believe you're trying to do,
> but which is not yet specified to do so :)
I consider this a secure method of contacting the entity that
controls/owns the IP address space, just as the SOA can be used for
forward Domain Name lookups as part of 3.2.2.4.2.
I hope this helps. Is this what you believe I was trying to do? I must
agree about the "as specified" comment, it probably needs some language
skills to describe the reverse lookup for an IPv4 and IPv6.
Dimitris.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20210204/d9de7af6/attachment-0001.html>
More information about the Servercert-wg
mailing list