On 2012-06-15 10:38 PM, John Nagle wrote:
On 6/15/2012 4:36 AM, Gervase Markham wrote:
On 14/06/12 19:55, John Nagle wrote:
Top-level A records are already allowed. Try
http://ai/
The CCTLDs have a different arrangement with ICANN from the GTLDs. ICANN
has a lot less control over them. Can you find a GTLD where there is a
top-level A record?
Gerv
That's a discussion for another forum. We're not determining
gTLD policy here. Just figuring out what the browser has to do
with what's out there in DNS and what will have to be dealt with.
I disagree; this is the place to work out whether it is Mozilla's
opinion that top-level A records are inappropriate. We have the
technical ability to refuse to honor such records, and the political
standing to make a case against them at ICANN, if we think that is the
right course of action.
I have remembered the security case for not honoring top-level A
records: it has to do with abbreviated DNS names used in intranets.
Suppose http://ai.example.com/ is an internal-use-only server for
example.com employees, whose computers have all been configured to retry
NXDOMAINs by tacking '.example.com' on the end, and a great deal of
internal URLs are therefore written http://ai/whatever. But the retry
only happens if an A query for ai. returns NXDOMAIN; a public A query
for ai. that returns an address will *supersede* the expected behavior
and redirect intended-to-be-private HTTP requests to the external
server. Depending on what the internal server does, this could cause a
disastrous data leak.
(Yes, example.com's sysadmins *can* prevent this by correctly
configuring their internal DNS and their firewall, but they probably
haven't.)
zw
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
