1. 22
  1.  

  2. 6

    This somehow manages to make IPv6 addresses less ergonomic than they already are.

    If you are setting up a prototype to the stage where you need an SSL certificate, surely it’s not much of a stretch to add an AAAA record to a domain name?

    If you’re prepared to go down the road of self signed certificates, you can even issue one to your bare IP if you so wish.

    1. 3

      If you are setting up a prototype to the stage where you need an SSL certificate, surely it’s not much of a stretch to add an AAAA record to a domain name?

      In many (large) organisation, this would not be that easy. Domain name entries are usually filtered, and need some kind of validation/process. When building a prototype or a POC for a project, it might be cumbersome.

    2. 3

      Can someone help me understand the use case?

      1. I have a service running on ipV6 (only it seems).
      2. I want a domain, so I can share the url with others.
      3. I want to run an https certificate.
      4. I create a lets encrypt cert, using an HTTP based validation.
      5. I now have an ugly domain with a valid ssl cert.

      Is this the suggested use case, because I see a number of issues with it.

      1. The DNS is not any nicer than an IP
      2. I have no idea how reliable this DNS is. Is the DNS server just running under a college students desk?
      3. The owner of the domain can steal all of my traffic at a whim. They can create any ssl cert they want (as they own the DNS zone), and they can point the domain at what ever IP they want.

      Using this method to put SSL/TLS on a service seems worse than just using a self signed cert. SSL/TLS is supposed to impart some level of guarantee that you are talking to who you think you are, and this removes those guarantees.

      1. 1

        AFAIR Someone uses .ip6.arpa domains (and other sources) for quick discovery of active IPv6 hosts in the talk “You can -j REJECT but you can not hide: Global scanning of the IPv6 Internet”, here are some key-points of the presentation.

        1. 1

          Seems brittle to rely on someone else when dns is so cheap and easy. Especially with for-amateur free dns solutions all over the place.