On 6/18/2012 3:48 AM, Gervase Markham wrote:
On 16/06/12 15:46, Zack Weinberg wrote:
I have remembered the security case for not honoring top-level A
records: it has to do with abbreviated DNS names used in intranets.
Suppose http://ai.example.com/ is an internal-use-only server for
example.com employees, whose computers have all been configured to retry
NXDOMAINs by tacking '.example.com' on the end,
Right. But that's handled at the DNS search level. "getaddrinfo",
given "ai", tries
ai - relative to local root, which is usually the
domain of the local machine minus the first
domain label
ai. - relative to global root.
Then Firefox feeds "ai.com" to getaddrinfo, so this gets tried
ai.com - relative to local root
ai.com. - relative to global root
Then Firefox feeds "ai" to the default search engine.
Now, all of this applies only to the first time Firefox
sees "ai". The SECOND time, caching in Firefox affects
the result. You can see this now. If you haven't
tried "ai" in this Firefox browser session, try it, and it will
spill to the search engine. Then try "ai." or "ai/", which
forces a domain search. Now you'll get the domain. Then try
a bare "ai" again, and you'll get the domain, because the
cache in Firefox doesn't do this right.
I think.
Google Chrome has a different (and probably better) system
for resolving this ambiguity - it asks you which one you want.
John Nagle
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
