On 2012-06-19 4:48 AM, Gervase Markham wrote:
On 16/06/12 15:46, Zack Weinberg wrote:
I disagree; this is the place to work out whether it is Mozilla's
opinion that top-level A records are inappropriate. We have the
technical ability to refuse to honor such records,
Can you outline how we might do that? Would we need our own DNS
resolver? (Do we have that already? I know there was talk, for DNSSEC
reasons...)
I think we do need our own DNS resolver eventually (mostly because
DNSSEC) but it's not necessary for this. We'd just have to refuse to do
the DNS query at all for URLs whose hostname component did not contain a
dot, and/or which was equal to or a suffix of an entry in the public
suffix list.
This would also entail implementing our own *suffix search* logic to
replace the logic built into gethostbyname/getaddrinfo, so that we
didn't break the aforementioned intranet sites. I think there's a case
for doing that independent of whether we reject top-level A(AAA)
records: the security problem arises because an external entity changes
the meaning of an organization-internal URL, and we could fix that by
doing suffix search *first*.
(Alternatively we could disable suffix search altogether and see how
much screaming there is.)
zw
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
