←back to thread

Six day and IP address certificate options in 2025

(letsencrypt.org)
197 points SGran | 2 comments | 16 Jan 25 15:36 UTC | HN request time: 0s | source
Show context
chrismorgan ◴[17 Jan 25 02:04 UTC] No.42733278[source]
> The dns-01 challenge type will not be available because the DNS is not involved in validating IP addresses. Additionally, there is no mechanism to check CAA records for IP addresses.

Is in-addr.arpa. not usable for these purposes? Given how you can do PTR records to map IP address to domain name, I had just assumed it would be at least theoretically usable for more, even if few or no hosts exposed it so at present.

replies(1): >>42733715 #
baby_souffle ◴[17 Jan 25 03:13 UTC] No.42733715[source]
That just proves you have a way to manipulate DNS.

Doesn’t prove you own the thing the IP routes to.

replies(1): >>42733763 #
mixdup ◴[17 Jan 25 03:23 UTC] No.42733763[source]
I mean that applies to DNS authentication for non-IP certificates, too
replies(1): >>42809638 #
1. baby_souffle ◴[24 Jan 25 01:12 UTC] No.42809638[source]
> I mean that applies to DNS authentication for non-IP certificates, too

Right, but "show me you own foo.com" is a pretty reasonable bar to clear for issuing a certificate with a CN of "foo.com".

Show me you own `1.1.1.1` by manipulating the DNS for "foo.com" is ... not quite the same.

replies(1): >>42908423 #
2. chrismorgan ◴[02 Feb 25 13:14 UTC] No.42908423[source]
You seem to be misunderstanding. We're taking about https://en.m.wikipedia.org/wiki/Reverse_DNS_lookup. Either putting records directly on the in-addr.arpa. domain (what I originally had in mind), or if that's not possible, on the domain it points to (which seems a pretty watertight proof method).