On Tue, Jan 5, 2016 at 2:30 PM, Bob Harold <[email protected]> wrote:
>
>> Apparently I don't understand certificates...
>
> In section 7, an example SRV record is:
> _domain-s._tcp.dns.example.com. SRV 0 1 853 dns1.example.com.
>
> But is section 9 I see:
> _domain-s.dns.example.com
>
> Are those related? I really don't understand why section 9 even suggests
> adding
> _domain-s.dns.example.com
>
Section 7 shows a DNS SRV record.
Section 9 shows a subject identity included in the certificate
corresponding to the SRV record owner name, specifically an SRV-ID (Subject
Alternative Name -> OtherName/SRVName type) - see RFC 4985 and RFC6125 for
details.
> I also don't understand why the Subject field is not valid to use. I
> thought subjectAltName was optional, and only used if there were more than
> one domain name in the cert.
>
Use of domain names in the subject field's Common Name are large deprecated
by current specs (even though they are commonly issued by public CAs). RFC
6125 for example says:
o Move away from including and checking strings that look like
domain names in the subject's Common Name.
o Move toward including and checking DNS domain names via the
subjectAlternativeName extension designed for that purpose:
dNSName.
o Move toward including and checking even more specific
subjectAlternativeName extensions where appropriate for using the
protocol (e.g., uniformResourceIdentifier and the otherName form
SRVName).
Shumon.
_______________________________________________
dns-privacy mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dns-privacy
