Do certificates for IP Addresses work?
Richard Laager
rlaager at wiktel.com
Sat Feb 2 00:57:35 UTC 2019
On 2/1/19 5:24 PM, Hal Murray via devel wrote:
> If I start with a name, translate that to an IP Address, make a TLS connection
> to that system, I expect to get a certificate that matches the name.
Yep.
> But that
> translation step adds another layer of security considerations.
It's actually somewhat the opposite. You don't need to care about the
DNS lookup. The certificate provides security over the whole thing. If I
can redirect your DNS, I still can't present a valid certificate
matching the name you asked for.
> Is it practical to bypass the DNS lookup and use a certificate for the IP
> Address?
No.
The RFCs do allow putting an IP address in a certificate name, but:
A) Your client and/or SSL library may or may not implement this.
B) Public CAs will not issue you a certificate for an IP address, per CA
Browser forum rules.
So this is just not done. Put the IP thing out of your mind. In
practice, a certificate needs a name (if you want it to validate).
> Is there an option I can give to something like getaddrinfo() that says
> require DNSSEC?
AFAIK, no. There seems to be a third-party libval that provides
val_getaddrinfo(). I wouldn't recommend going down this path. The
typical approach for getting DNSSEC validation is that you add it to
your resolver (on the box or on your LAN).
> What fraction of the world is using DNSSEC and/or pays
> attention if somebody else uses it?
Some Google searching sent me here:
http://rick.eng.br/dnssecstat/
https://stats.labs.apnic.net/dnssec/XA?c=XA&x=1&g=1&r=1&w=7&g=0
About 19% of the world is doing DNSSEC validation, in large part because
apparently 15% of the world is using Google's recursive DNS service.
--
Richard
More information about the devel
mailing list