On 28 Feb 2022, at 7:11, Bill Woodcock wrote:

>> On Feb 28, 2022, at 3:29 PM, Bjørn Mork <bj...@mork.no> wrote:
>> Any recommendations for a CA with a published policy allowing an IP
>> address SAN (Subject Alternative Name)?
>> Both Quad9 got their certificate from DigiCert:
>>
>>        Issuer: C = US, O = DigiCert Inc, CN = DigiCert TLS Hybrid ECC SHA384 
>> 2020 CA1
>>        Subject: C = US, ST = California, L = Berkeley, O = Quad9, CN = 
>> *.quad9.net
>>            X509v3 Subject Alternative Name:
>>                DNS:*.quad9.net, DNS:quad9.net, IP Address:9.9.9.9, IP 
>> Address:9.9.9.10, IP Address:9.9.9.11, IP Address:9.9.9.12, IP 
>> Address:9.9.9.13, IP Address:9.9.9.14, IP Address:9.9.9.15, IP 
>> Address:149.112.112.9, IP Address:149.112.112.10, IP Address:149.112.112.11, 
>> IP Address:149.112.112.12, IP Address:149.112.112.13, IP 
>> Address:149.112.112.14, IP Address:149.112.112.15, IP 
>> Address:149.112.112.112, IP Address:2620:FE:0:0:0:0:0:9, IP 
>> Address:2620:FE:0:0:0:0:0:10, IP Address:2620:FE:0:0:0:0:0:11, IP 
>> Address:2620:FE:0:0:0:0:0:12, IP Address:2620:FE:0:0:0:0:0:13, IP 
>> Address:2620:FE:0:0:0:0:0:14, IP Address:2620:FE:0:0:0:0:0:15, IP 
>> Address:2620:FE:0:0:0:0:0:FE, IP Address:2620:FE:0:0:0:0:FE:9, IP 
>> Address:2620:FE:0:0:0:0:FE:10, IP Address:2620:FE:0:0:0:0:FE:11, IP 
>> Address:2620:FE:0:0:0:0:FE:12, IP Address:2620:FE:0:0:0:0:FE:13, IP 
>> Address:2620:FE:0:0:0:0:FE:14, IP Address:2620:FE:0:0:0:0:FE:15
>>
>> Does this mean that DigiCert is the only alternative?
>
> I assume not, but we’d already used them for other things, and they didn’t 
> have a problem doing it, so we didn’t shop any further.

Update to Bill’s comments:

They were the only CA at that time who would include IPv6 addresses in the 
signature, so it actually was a simple decision but for a different reason. 
We’re happy with how it’s working with them. For a few niche cases like 
recursive DNS, v6 signing is required, and Digicert went out of their way to 
implement that v6 ability. Thanks to them for making it available to what is 
probably a very small group of potential customers - they deserve some credit 
for making the technical effort and product decision.

>> And do they really have this offer for ordinary users, or is this also some 
>> special
>> arrangement for big players only?
>
> No, we didn’t have to do anything special, to the best of my knowledge.

Nothing “special” meaning there is no custom business relationship, but it did 
take time and having a highly capable and persistent team here at Quad9 who 
could track the request through the process and get it done successfully, and 
for Digicert to work to create a process that wasn’t entirely customized. While 
I can’t speak for Digicert, I would suspect v6 address signing is still not 
entirely “off the shelf” or in the best case it is “barely off the shelf” for 
ordering on the website but it is a product they can reliably deliver if you 
talk to someone there.

>> That does make me wonder how they verify that I'm the rightful owner of
>> "sites, IP addresses, common names, etc.".  In particular, "etc" :-)
>> Or you could ask yourself if you trust a CA with such an offer...
[snip]

To validate that the addresses were “ours” or at least under our control, there 
were still some hoops to jump through other than the standard validation of 
registry data. For example, we had to activate web servers and objects on our 
anycast network to answer specific queries during some of the check processes.

TL;DR: Digicert is still the only player for v6 signing, and it will not be 
entirely hands-free to manage but also not overly difficult.

JT

--
John Todd - jt...@quad9.net
General Manager - Quad9 Recursive Resolver

Reply via email to