SC-86: Sunset the Inclusion of Domain Names with an IP Reverse Zone Suffix #573
Conversation
CBonnell
changed the title
|
I've been following this discussion for a while. It appears to have originated in #153 (via zmap/zlint#343) where the problem of wildcard certificates under RIR-controlled rDNS names appeared. In that thread, it seemed like prohibiting certificates with a wildcard SAN covering an rDNS name would be a good thing to do. It could be easily implemented by looking whether there is a wildcard at any of the labels that is supposed to represent an IPv4 address octet / an IPv6 address nibble. For some reason, the proposal has shifted to prohibiting certificates under .arpa altogether. I seem to have missed how we went from wildcard to general prohibition! While the thread linked above only talks explicitly about wildcards, the pre-ballot discussion only talks explicitly about the general prohibition. It would be nice to learn what triggered that shift, especially considering the following points:
It's not clear why the (valid) concern for wildcard certificates covering subnet rDNS would need to be addressed in a way that shuts that door unnecessarily. (Of course, in theory, the rules could be changed again. In practice, people would think "DoX can't be done under .arpa because you can't have a certificate", and drop the idea.)
These use cases do not collide with the IP address validation SNI ambiguity, and they also have nothing to do with the wildcard problem that this discussion originally started with. All in all, it seems that a general prohibition of certificate issuance under .arpa would be overly broad, and in particular not motivated by any technical or security reasons. Arbitrary carve-outs add needless complexity (e.g., for the nameservers under .arpa), and should be avoided where possible. The concerns of wildcard certificates and RFC 8738 SNI overloading are addressed by making only the following two changes:
I'd like to encourage an exchange about whether the proposal could be narrowed down this way, and if it cannot, what the reaons would be. (Note that (1) breaks sites like https://160.176.40.77.in-addr.arpa/ (which actually exists), and could alternatively be addressed by deprecating validation methods 3.2.2.5.3 and 3.2.2.5.7, or by amending RFC 6066 Section 3 to allow literal IP addresses in the SNI HostName. -- In any case, though, it is not necessary to rule out certificates for subnames of rDNS FQDNs, or for nameservers under .arpa.) Disclosure: I've shared these concerns with the ICANN Security and Stability Advisory Committee of which I am a member, but am not speaking for the committee, nor has the committee developed a consensus position. I am also not speaking for the IETF DNSOP group (of which I am a Secretary). |
|
Hi @peterthomassen, thank you for your insights and feedback.
In the course of discussion several years ago, we discussed this particular passage from RFC 3172:
and this passage:
Given these statements, it was determined that issuance for any hostname under .arpa would run counter to this guidance, so it was agreed at the time to sunset this issuance.
The referenced section says:
This section is speaking to PTR records, not to naming hosts under ip6.arpa. As for "other purposes", naming hosts would conflict with the guidance in RFC 3172.
It is unfortunate that RFC 3172 was not updated to clarify that .arpa can be used for naming hosts rather than solely mapping protocol values to service names at the time these specifications established these hostnames.
I discussed your concerns with the endorsers of the ballot and we will not move forward with this ballot as-is, as there is value in allowing issuance for DoH/DoT nameservers under .arpa and do not want to hamper those efforts. Our current thinking is that ballot will be scaled down to prohibiting wildcards under .arpa, but we can certainly discuss. As I hinted at above, I think it would very helpful that RFC 3172 be updated to explicitly permit the naming of hosts such as the previously mentioned nameservers. Doing so would eliminate confusion on the intended purpose of .arpa. |
Thank you for getting back, @CBonnell! :-)
While this limitation is indeed stated in RFC 3172, that doesn't mean that "you" (CA/B Forum) has to enforce it :-) That's particularly true if a certain "lapse" causes no issues, and may actually be useful to some. In fact, not even the IETF sees itself as the "protocol police", except on specific days (see the publication date of RFC 8962). :) (... true, RFC 3172 is from the IAB, not the IETF.)
Fair.
Great! Thank you for considering the feedback with the others.
I agree with you, yes! |
Co-authored-by: Dimitris Zacharopoulos <[email protected]>
Co-authored-by: Dimitris Zacharopoulos <[email protected]>
|
Silly git, it's just a branch rename. I restored the previous branch name even though it's not quite an accurate representation of the ballot content. |
CBonnell
changed the title
clintwilson
left a comment
clintwilson
left a comment
There was a problem hiding this comment.
This looks clean and straight-forward to me.
CBonnell
changed the title
| **IP Address Registration Authority**: The Internet Assigned Numbers Authority (IANA) or a Regional Internet Registry (RIPE, APNIC, ARIN, AfriNIC, LACNIC). | ||
|
|
||
| **IP Reverse Address Domain Name**: A Domain Name that ends with the Domain Labels "in-addr.arpa" or "ip6.arpa". Examples: `1.2.0.192.in-addr.arpa` (IP version 4) and `1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa` (IP version 6). | ||
| **IP Reverse Zone Suffix**: One of the two FQDNs that consist of the Domain Labels "in-addr.arpa" or "ip6.arpa". These two FQDNs serve as the root of the IP version 4 and IP version 6 reverse mapping space. "in-addr.arpa" is the root of the IP version 4 reverse mapping space and "ip6.arpa" is the root of the IP version 6 reverse mapping space. |
There was a problem hiding this comment.
I am not sure we really have to explain which is which; it does not seem relevant to begin with in this definition and the BRs are not Wikipedia, but maybe I would have formed a different opinion if I looked at this from the perspective of SC-91 instead?
In any case, I do not think it is a problem to leave it in, but it stood out, so I thought I would mention it.
In letsencrypt/boulder/pull/2279 the same assertion is made in confidence: RFC 3172 is being violated when rDNS is used for traditional naming, based on the statement in RFC 3172 that .arpa is “not to be used in the same manner (e.g., for naming hosts) as other generic top‑level domains are commonly used.” That requirement is already satisfied because records in in‑addr.arpa, ip6.arpa, and e164.arpa (along with the rest of .arpa) are not available for registration outside the registries that administer the resources tied to each. The delegation of those names is inherently tied to the lifespan of the registration of those resources, so they cannot be used for conventional host naming (i.e., the way someone might purchase a domain from a registrar). The ability to operate webpages on those in‑addr.arpa records and use them for naming hosts is a by‑product of DNS. While some may object to the unconventional nature of these webpages, it is pointless and foolish to reinterpret an RFC drafted 24 years ago to stop a practice that, over the last two and a half decades, has caused no technical strain or operational concerns. It is to be expected that owners of these records may use them as they wish, such as for backend panels, informational pages, or any other services requiring a hostname. As with any other pages on the Internet, these pages may require a certificate from a publicly trusted CA to securely interconnect, and therefore should fall under the serviceable clientele of the CA/B Forum’s member CAs. In most BCPs, the language defined in RFC 2112 provides unambiguous intent through keywords such as MUST NOT or SHOULD NOT. RFC 3172 lacks those keywords, simply stating that the intent behind the existence of the .arpa TLD is not for naming hosts, which is already satisfied by how the TLD operates. The very next paragraph in the same RFC states:
I see no mention of IANA considerations, IAB discussions, or public comment from IP resource holders in your Google‑group discussions or on GitHub. Has the CA/B Forum conducted an impact assessment for such a decision among the audiences it would affect? Without doing so, your claims are merely baseless and broad assertions.
Trust anchors must provide certificates without baseless discrimination against a subset of records that has zero consequence or strain on operations. Without supplemental and proper justification for this discrimination, most IP resource holders will likely view the action as overreach that erodes trust in your member CAs. Ultimately, the RFC you cited dictates that enforcement responsibility lies with the operators of the .arpa TLD, the IANA and the IAB. At minimum, the CA/B Forum should not proceed without consulting those two bodies, and in my opinion, it should not move forward with such a measure at all. |
8 participants
Resolves #153.