Clarify validation requirements for .arpa #153
Comments
|
Although the safest approach would be to prohibit issuance to these "special" TLDs, it might be worth considering requiring that:
MUST be present in the dNSName value. These "Domain Names" shall be validated by using the validation methods for IP addresses according to section 3.2.2.5, and wildcards shall not be allowed. Thoughts? |
|
There seemed strong consensus for forbidding, and there is a compelling argument they are already forbidden as they are registry controlled, so perhaps you can explain the use case more? It important to explain the “why” - and not just saying “because people might want them” - as it is to figure out the how. The description of the “how” has issues, but if you’d like to articulate the “why”, that might help figure if they’re worth resolving. |
|
I was the one who first proposed to forbid this on the call, and there were two more voices on the call that said "ok". We need a lot more discussion to determine if there is broader consensus for this decision. I am having second thoughts exactly because I am not aware of what might "break" if we forbid this. Until we discuss more about the use cases (I hope others will come forward to share their experience), we could save some time if you can share your thoughts about any risks with my proposal. I think it would be very useful. |
|
Thanks for clarifying. I’m not a fan of allowing something difficult to get right because it “might” be useful. I think it remains a better position to start by disallowing it, and if there are CAs with concrete use cases, they can share them so we can discuss. Absent a use case, it’s difficult to respond properly on how to address that use case. Given we have iPAddress SANs, the use case you seem to be wanting to address is already met. |
|
Fair enough 🙂 |
sleevi
added
the
baseline-requirements
|
It's also worth noting that RFC 8738 overloads .arpa as a way to validate IP address certificates, Allowing these names to have certs creates some additional ambiguity. Forbidding certs from having .arpa names also opens up some possibilities for IP address certs:
(Neither of these two items is standardized today, but it may make sense to do so.) |
|
According to this Censys query, publicly trusted CAs have not issued any certificates with a .arpa dNSName in 2023: https://search.censys.io/search?resource=certificates&q=parsed.extensions.subject_alt_name.dns_names%3A%2F.%2B%5C.arpa%2F+and+parsed.validity_period.not_before%3A%5B2023-01-01+TO+*%5D. There is always the possibility that such certificates were issued but never logged to CT, but the number of such certificates would be very small. We should consider prohibiting the issuance of such certificates, especially since the current impact of such a prohibition would be nil. |
|
I will develop a ballot to prohibit the issuance of such domains. |
|
Still ongoing |
In zmap/zlint#343, there were questions raised about whether the special use
in.arpaandin6.arpadomains may make use of wildcards.BRs section 3.2.2.6 has special provisions for when the wildcard appears to the left of particular domain labels, and it’s ambiguous whether or not that section is triggered, based on how IANA administers that root zone and delegates to the RIRs.
The text was updated successfully, but these errors were encountered: