On Thu, Feb 23, 2017 at 01:55:40AM -0800, Nick Lamb via dev-security-policy wrote: > 1. Neither registries nor registrars in the DNS system would ordinarily > have control over the existence of sub-domains. In some cases the whole > _purpose_ of the registration is to create such sub-domains without > further administration, it would be untenable to run e.g. blogspot.co.uk > with oversight from Nominet on every sub-domain for example. So nobody is > in a position to ensure that when uninteresting.example is registered its > new owners will never create an FQDN > microsoft-tech-support.uninteresting.example
Registries and registrars aren't in a position to block or otherwise interfere with shady subdomain labels, but recursive and "upstream" authoritative nameservers are. Both get the full FQDN being resolved, and while caching can mean that the root and '.example` authoritative nameservers may, or may not, see that someone is looking up `microsoft-tech-support.uninteresting.example`, whatever recursive resolver the client is using (whether it be on-box, on-LAN, ISP-provided, or a public service such as 8.8.8.8/8.8.4.4) definitely sees the full request. - Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy