Re: Certificates for DoT and DoH?

[John Todd <jtodd () quad9 net>]

On 28 Feb 2022, at 7:11, Bill Woodcock wrote:

> > On Feb 28, 2022, at 3:29 PM, Bjørn Mork <bjorn () mork no> wrote:
> > Any recommendations for a CA with a published policy allowing an IP
> > address SAN (Subject Alternative Name)?
> > Both Quad9 got their certificate from DigiCert:
> >
> >        Issuer: C = US, O = DigiCert Inc, CN = DigiCert TLS Hybrid ECC SHA384 2020 CA1
> >        Subject: C = US, ST = California, L = Berkeley, O = Quad9, CN = *.quad9.net
> >            X509v3 Subject Alternative Name:
> >                DNS:*.quad9.net, DNS:quad9.net, IP Address:9.9.9.9, IP Address:9.9.9.10, IP Address:9.9.9.11, IP 
> > Address:9.9.9.12, IP Address:9.9.9.13, IP Address:9.9.9.14, IP Address:9.9.9.15, IP Address:149.112.112.9, IP 
> > Address:149.112.112.10, IP Address:149.112.112.11, IP Address:149.112.112.12, IP Address:149.112.112.13, IP 
> > Address:149.112.112.14, IP Address:149.112.112.15, IP Address:149.112.112.112, IP Address:2620:FE:0:0:0:0:0:9, IP 
> > Address:2620:FE:0:0:0:0:0:10, IP Address:2620:FE:0:0:0:0:0:11, IP Address:2620:FE:0:0:0:0:0:12, IP 
> > Address:2620:FE:0:0:0:0:0:13, IP Address:2620:FE:0:0:0:0:0:14, IP Address:2620:FE:0:0:0:0:0:15, IP 
> > Address:2620:FE:0:0:0:0:0:FE, IP Address:2620:FE:0:0:0:0:FE:9, IP Address:2620:FE:0:0:0:0:FE:10, IP 
> > Address:2620:FE:0:0:0:0:FE:11, IP Address:2620:FE:0:0:0:0:FE:12, IP Address:2620:FE:0:0:0:0:FE:13, IP 
> > Address:2620:FE:0:0:0:0:FE:14, IP Address:2620:FE:0:0:0:0:FE:15
> >
> > Does this mean that DigiCert is the only alternative?
>
> I assume not, but we’d already used them for other things, and they didn’t have a problem doing it, so we didn’t shop 
> any further.

Update to Bill’s comments:

They were the only CA at that time who would include IPv6 addresses in the signature, so it actually was a simple 
decision but for a different reason. We’re happy with how it’s working with them. For a few niche cases like recursive 
DNS, v6 signing is required, and Digicert went out of their way to implement that v6 ability. Thanks to them for making 
it available to what is probably a very small group of potential customers - they deserve some credit for making the 
technical effort and product decision.

> > And do they really have this offer for ordinary users, or is this also some special
> > arrangement for big players only?
>
> No, we didn’t have to do anything special, to the best of my knowledge.

Nothing “special” meaning there is no custom business relationship, but it did take time and having a highly capable 
and persistent team here at Quad9 who could track the request through the process and get it done successfully, and for 
Digicert to work to create a process that wasn’t entirely customized. While I can’t speak for Digicert, I would suspect 
v6 address signing is still not entirely “off the shelf” or in the best case it is “barely off the shelf” for ordering 
on the website but it is a product they can reliably deliver if you talk to someone there.

> > That does make me wonder how they verify that I'm the rightful owner of
> > "sites, IP addresses, common names, etc.".  In particular, "etc" :-)
> > Or you could ask yourself if you trust a CA with such an offer...
[snip]

To validate that the addresses were “ours” or at least under our control, there were still some hoops to jump through 
other than the standard validation of registry data. For example, we had to activate web servers and objects on our 
anycast network to answer specific queries during some of the check processes.

TL;DR: Digicert is still the only player for v6 signing, and it will not be entirely hands-free to manage but also not 
overly difficult.

JT

--
John Todd - jtodd () quad9 net
General Manager - Quad9 Recursive Resolver