Certificates for DoT and DoH?

John Todd jtodd at quad9.net
Tue Mar 1 02:11:15 UTC 2022

On 28 Feb 2022, at 7:11, Bill Woodcock wrote:

>> On Feb 28, 2022, at 3:29 PM, Bjørn Mork <bjorn at mork.no> wrote:
>> Any recommendations for a CA with a published policy allowing an IP
>> address SAN (Subject Alternative Name)?
>> Both Quad9 got their certificate from DigiCert:
>>        Issuer: C = US, O = DigiCert Inc, CN = DigiCert TLS Hybrid ECC SHA384 2020 CA1
>>        Subject: C = US, ST = California, L = Berkeley, O = Quad9, CN = *.quad9.net
>>            X509v3 Subject Alternative Name:
>>                DNS:*.quad9.net, DNS:quad9.net, IP Address:, IP Address:, IP Address:, IP Address:, IP Address:, IP Address:, IP Address:, IP Address:, IP Address:, IP Address:, IP Address:, IP Address:, IP Address:, IP Address:, IP Address:, IP Address:2620:FE:0:0:0:0:0:9, IP Address:2620:FE:0:0:0:0:0:10, IP Address:2620:FE:0:0:0:0:0:11, IP Address:2620:FE:0:0:0:0:0:12, IP Address:2620:FE:0:0:0:0:0:13, IP Address:2620:FE:0:0:0:0:0:14, IP Address:2620:FE:0:0:0:0:0:15, IP Address:2620:FE:0:0:0:0:0:FE, IP Address:2620:FE:0:0:0:0:FE:9, IP Address:2620:FE:0:0:0:0:FE:10, IP Address:2620:FE:0:0:0:0:FE:11, IP Address:2620:FE:0:0:0:0:FE:12, IP Address:2620:FE:0:0:0:0:FE:13, IP Address:2620:FE:0:0:0:0:FE:14, IP Address:2620:FE:0:0:0:0:FE:15
>> Does this mean that DigiCert is the only alternative?
> I assume not, but we’d already used them for other things, and they didn’t have a problem doing it, so we didn’t shop any further.

Update to Bill’s comments:

They were the only CA at that time who would include IPv6 addresses in the signature, so it actually was a simple decision but for a different reason. We’re happy with how it’s working with them. For a few niche cases like recursive DNS, v6 signing is required, and Digicert went out of their way to implement that v6 ability. Thanks to them for making it available to what is probably a very small group of potential customers - they deserve some credit for making the technical effort and product decision.

>> And do they really have this offer for ordinary users, or is this also some special
>> arrangement for big players only?
> No, we didn’t have to do anything special, to the best of my knowledge.

Nothing “special” meaning there is no custom business relationship, but it did take time and having a highly capable and persistent team here at Quad9 who could track the request through the process and get it done successfully, and for Digicert to work to create a process that wasn’t entirely customized. While I can’t speak for Digicert, I would suspect v6 address signing is still not entirely “off the shelf” or in the best case it is “barely off the shelf” for ordering on the website but it is a product they can reliably deliver if you talk to someone there.

>> That does make me wonder how they verify that I'm the rightful owner of
>> "sites, IP addresses, common names, etc.".  In particular, "etc" :-)
>> Or you could ask yourself if you trust a CA with such an offer...

To validate that the addresses were “ours” or at least under our control, there were still some hoops to jump through other than the standard validation of registry data. For example, we had to activate web servers and objects on our anycast network to answer specific queries during some of the check processes.

TL;DR: Digicert is still the only player for v6 signing, and it will not be entirely hands-free to manage but also not overly difficult.


John Todd - jtodd at quad9.net
General Manager - Quad9 Recursive Resolver

More information about the NANOG mailing list