On 2012-06-18 3:48 AM, Gervase Markham wrote:
On 16/06/12 15:46, Zack Weinberg wrote:
I have remembered the security case for not honoring top-level A
records: it has to do with abbreviated DNS names used in intranets.
Suppose http://ai.example.com/ is an internal-use-only server for
example.com employees, whose computers have all been configured to retry
NXDOMAINs by tacking '.example.com' on the end,
Is that the common "search suffix" behaviour, then? A typed domain is
tried and if NXDOMAIN is returned, the suffixed versions are tried? It's
never the case that it tries suffixes first?
Yes, that is how suffix search has always worked AFAIK.
a public A query
for ai. that returns an address will *supersede* the expected behavior
and redirect intended-to-be-private HTTP requests to the external
server. Depending on what the internal server does, this could cause a
disastrous data leak.
Isn't this also a problem for http://foo.corp/ if "corp" gets registered
as a TLD?
Yes; however it is my impression (based on nothing terribly concrete)
that this is much rarer than http://foo/ and http://foo.corp.company.com/ .
You could make a case that the right fix here is to disable suffix
search, but I imagine that would not go over well with the large
intranet installations that are using it.
Has ICANN 'reserved' some suffixes for internal use which it guarantees
will never be TLDs, to allow smart network admins to avoid this problem?
I don't know.
zw
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
