IPs on TLS certificate SANs for DoH DNS

Hello,

I was following Run A Private DNS Over HTTPS Service · Fly Docs and found that the DNS service is not usable with fly-provided certificates because the TLS certificate only has a common name for the hostname. For it to be usable for DNS, it would need to have the IP addresses on the SANs so that TLS can validate against the IP address.

How can I include my application’s IPv4 and IPv6 addresses on the certificate?

Here is an example for 1.1.1.1:

For it to be usable for DNS, it would need to have the IP addresses on the SANs so that TLS can validate against the IP address.

TLS for IP addresses aren’t a necessity. DNS over TLS or DNS over HTTPS impl should work with hostname just fine.


Fly doesn’t validate for the ipAddress field nor does it append one among app’s IP to CN (see: an example cert generated by Fly), which it needs to for you to TLS over IP. Read also: Guidance on IP Addresses in Certificates | CAB Forum


It is uncommon to issue certs against IP addresses, though it’d be cool if Fly issued them since they assign a dedicated IP address per app, anyway.

cc: @thomas

TLS for IP addresses aren’t a necessity. DNS over TLS or DNS over HTTPS impl should work with hostname just fine.

How does TLS validation work in this scenario? As far as I can tell, it doesn’t, because the DNS server needs to be set to an IP. How would it work with just the hostname? Google DNS, Cloudflare DNS, and Quad9 all have IPs in the SANs to facilitate this.

TLS authenticates an origin either against a hostname (most common) or an IP (rare).

DoT and DoH work just fine with (fixed) hostnames served over changing (dynamic) IPs.