[dns-operations] Private domains, X.509 certificates, and CAA records

James Stevens James.Stevens at jrcs.co.uk
Fri Sep 22 10:58:51 UTC 2017

Very interesting. Good point.

An alternative to split-views might be rfc1918 style TLD(s) - i.e. 
"guaranteed never to be made real" TLDs, or styles of TLDs.

If there was some "official" way to create private TLDs, then its 
possible the certificate authorities would be happy to start issuing 
certs for them.

The cabforum.org/internal-names policy is totally understandable, on the 
basis they can never be sure any particular TLD won't, at some point, 
become a real one, and then the cert may have been issued to the 
"incorrect" (non-owning) party.


On 21/09/17 18:07, Tony Finch wrote:
> I don't think that the interaction between private domains and X.509
> certificates was discussed in the threads earlier this month (and I am not
> going to re-read them to check!) but this week I found out about a "fun"
> new wrinkle.
> Those who are fans of internal fake TLDs should be aware of
> https://cabforum.org/internal-names/ which says that since two years ago
> you have not been able to get certificates for fake TLDs from public
> certificate authorities. This obliges you to run your own CA for internal
> use, and set up all client devices to trust your private root cert. This
> is going to be a pain proportional to the number of unmanaged and/or BYOD
> clients you have on your network.
> Where I work our internal domain is private.cam.ac.uk. Originally it
> didn't have a delegation in its parent zone, but when we signed cam.ac.uk
> eight years ago we needed to add a delegation so that validating resolvers
> would not treat private names as bogus. (private.cam.ac.uk remains
> unsigned for now.)
> Public CAs are happy to issue certificates for nonexistent names within
> properly registered domains, and until this month they have been happy to
> issue certs for subdomains they could not resolve. However this changed on
> the 8th September when it became mandatory for CAs to check CAA DNS
> records. The effect is that while you can still get a certificate for an
> NXDOMAIN name, you can't get one if your server REFUSED the CA's CAA
> queries.
> At least, that is how our CA has implemented RFC 6844, so I have to
> reconfigure the way private.cam.ac.uk works. I'm setting up split views
> (which we have so far avoided) with the public view contining an empty
> version of private.cam.ac.uk.
> RFC 1918 and split view DNS are both ugly ideas, but it seems you can't
> have one without the other...
> Tony.

More information about the dns-operations mailing list