> > I believe the list was merely a crt.sh query of all unexpired certificates > with a dNSName ending in "in-addr.arpa": > https://crt.sh/?dNSName=%25.in-addr.arpa&exclude=expired
Any list for this general issue should also consider unexpired certificates with a dNSName ending in "ip6.arpa" to cover the IPv6 reverse zone in addition to the IPv4 one. I noticed there are similar interesting wildcards/host nodes under the ip6.arpa zone when I was writing a linter[0] for this. [0] - https://github.com/zmap/zlint/pull/260 On Wed, Feb 27, 2019 at 10:05 PM Corey Bonnell via dev-security-policy < [email protected]> wrote: > On Wednesday, February 27, 2019 at 10:43:15 AM UTC-5, Tim Hollebeek wrote: > > > On 27/02/2019 00:10, Matthew Hardeman wrote: > > > > Is it even proper to have a SAN dnsName in in-addr.arpa ever? > > > > > > > > While in-addr.arpa IS a real DNS heirarchy under the .arpa TLD, it > > > > rarely has anything other than PTR and NS records defined. > > > > > > > > > > While there is no current use, and the test below was obviously > somewhat > > > contrived (and seems to have triggered a different issue), one cannot > rule > > > out > > > the possibility of a need appearing in the future. > > > > At least the last time this came up a few years ago, there were actually > a > > significant number of webservers running under in-addr.arpa, with Comodo > and > > LE certificates (as well as a handful of others). I believe Corey > posted a > > list. > > > > Exactly what they were doing there is an open question, and when I > asked, no > > one responded. I'm still very curious as to why some people seem to > actually > > be running servers there, or if it's just a side-effect of misconfigured > > CNAMEs causing them to appear to be there, or similar. > > > > -Tim > > Hi Tim, > As you said, I vaguely recall this coming up in some discussion (perhaps > in the CAB Forum Validation Subcommittee?) but nothing was concluded. I > believe the list was merely a crt.sh query of all unexpired certificates > with a dNSName ending in "in-addr.arpa": > https://crt.sh/?dNSName=%25.in-addr.arpa&exclude=expired > > The query results are definitely worth a look as there are some unexpected > findings, such as wildcards (such as "*.0.195.206.in-addr.arpa") and host > nodes (such as "www.175.232.77.in-addr.arpa", etc.) under in-addr.arpa. > Several of the domain names starting with "www" actually appear to resolve > to an IP address with a web server running. Definitely an interesting > (ab)use of the reverse zones. > > Thanks, > Corey > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
