← Back to context

Comment by chrismorgan

3 months ago

> The dns-01 challenge type will not be available because the DNS is not involved in validating IP addresses. Additionally, there is no mechanism to check CAA records for IP addresses.

Is in-addr.arpa. not usable for these purposes? Given how you can do PTR records to map IP address to domain name, I had just assumed it would be at least theoretically usable for more, even if few or no hosts exposed it so at present.

4 comments

chrismorgan

Reply
baby_souffle  3 months ago

That just proves you have a way to manipulate DNS.

Doesn’t prove you own the thing the IP routes to.

  • mixdup  3 months ago

    I mean that applies to DNS authentication for non-IP certificates, too

    • baby_souffle  3 months ago

      > I mean that applies to DNS authentication for non-IP certificates, too

      Right, but "show me you own foo.com" is a pretty reasonable bar to clear for issuing a certificate with a CN of "foo.com".

      Show me you own `1.1.1.1` by manipulating the DNS for "foo.com" is ... not quite the same.

      1 reply →