[cabf_validation] Certificates with in-addr.arpa dNSNames

Corey Bonnell CBonnell at trustwave.com
Fri Feb 2 07:51:45 MST 2018

Inspired by yesterday’s working group call, I did some searching in crt.sh and discovered that there are several hundred still-valid certificates that contain dNSNames for “in-addr.arpa” subdomains: https://crt.sh/?dNSName=%25.in-addr.arpa&exclude=expired.

I believe this may be a problematic practice, as RFC 3172, section 2 (http://www.rfcreader.com/#rfc3172_line65) states:
This domain is termed an "infrastructure domain", as its role is to support the operating infrastructure of the Internet. In particular, the "arpa" domain is not to be used in the same manner (e.g., for naming hosts) as other generic Top Level Domains are commonly used.

Given that this is directly relevant to the main topic (IP address validation) of yesterday’s call, I wanted to point these certificates out as something that we may want to address while reworking IP address validation rules. I am particularly interested to hear from CAs issuing certificates with “in-addr.arpa” subdomains in case I missed something and this is actually a perfectly acceptable practice.


Corey Bonnell
Senior Software Engineer
t: +1 412.395.2233


2017 Best Managed Security Service Winner – SC Media
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20180202/e7504110/attachment-0001.html>

More information about the Validation mailing list