[162416] in North American Network Operators' Group
Re: What do people use public suffix for?
daemon@ATHENA.MIT.EDU (Joe Abley)
Mon Apr 15 12:31:34 2013
From: Joe Abley <jabley@hopcount.ca>
In-Reply-To: <31546939.2275.1366041623873.JavaMail.root@benjamin.baylink.com>
Date: Mon, 15 Apr 2013 12:30:59 -0400
To: Jay Ashworth <jra@baylink.com>
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 2013-04-15, at 12:00, Jay Ashworth <jra@baylink.com> wrote:
> Seems to me that it's a crock because *it should be in the DNS*.
>=20
> I should be able to retrieve the AS (administrative split) record=20
> for .co.uk, and there should be one that says, "yup, there's an
> administrative split below me; nothing under there is mine unless=20
> you also get an exception record for a subdomain".
I've always quite liked that idea (if we accept for the point of =
discussion that there are use-cases like cookie naming that make =
identifying this kind of boundary useful).
There's a concern though that there are multiple ways to spoof such a =
DNS response, and do so in a distributed fashion that might not be easy =
to detect by an individual client application. If the AS (or whatever) =
record was signed, that would make things better. But only if you could =
rely upon clients to validate those responses (or have a sufficiently =
clean DNS path out that validation was even possible).
There's also the question of what to do with a TLD (or other part of the =
namespace) that doesn't include this record. Some of the zones we're =
talking about are generated by registry machinery with long software =
development lifecycles.
If your starting point is (a) the records might not be there, (b) we =
might not be able to find them even if they are there, and (c) if we get =
them we can't always be sure they are genuine, then the natural =
conclusion is that you can't rely on the mechanism to work and you look =
for another answer.
If you need the mechanism to work (say you're say a browser vendor who =
is going to get heat if cookie-leakage causes widespread privacy =
violations) then I can see why fetching and caching a browser list over =
SSL (and perhaps shipping with a baseline version of it) seems =
attractive.
And that I guess takes us back to where we are.
Joe
