[cabf_validation] Certificates with in-addr.arpa dNSNames

Tim Hollebeek tim.hollebeek at digicert.com
Fri Feb 2 09:03:15 MST 2018

I’m very curious as well, especially since I actually successfully contacted a web server on one of these domains.  Unless I’m missing something, things like www.126.47.177.in-addr.arpa <http://www.126.47.177.in-addr.arpa>  should not exist.  Yet it has a certificate!




From: Validation [mailto:validation-bounces at cabforum.org] On Behalf Of Corey Bonnell via Validation
Sent: Friday, February 2, 2018 7:52 AM
To: validation at cabforum.org
Subject: [cabf_validation] Certificates with in-addr.arpa dNSNames



Inspired by yesterday’s working group call, I did some searching in crt.sh and discovered that there are several hundred still-valid certificates that contain dNSNames for “in-addr.arpa” subdomains: https://crt.sh/?dNSName=%25.in-addr.arpa&exclude=expired.


I believe this may be a problematic practice, as RFC 3172, section 2 (http://www.rfcreader.com/#rfc3172_line65) states:

This domain is termed an "infrastructure domain", as its role is to support the operating infrastructure of the Internet. In particular, the "arpa" domain is not to be used in the same manner (e.g., for naming hosts) as other generic Top Level Domains are commonly used.


Given that this is directly relevant to the main topic (IP address validation) of yesterday’s call, I wanted to point these certificates out as something that we may want to address while reworking IP address validation rules. I am particularly interested to hear from CAs issuing certificates with “in-addr.arpa” subdomains in case I missed something and this is actually a perfectly acceptable practice.





Corey Bonnell

Senior Software Engineer

t: +1 412.395.2233




2017 Best Managed Security Service Winner – SC Media

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20180202/77c1e375/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4940 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/validation/attachments/20180202/77c1e375/attachment-0001.p7s>

More information about the Validation mailing list