On 22/06/12 11:19 AM, Justin Dolske wrote:
On 6/19/12 9:24 AM, Zack Weinberg wrote:
I think we do need our own DNS resolver eventually (mostly because
DNSSEC) but it's not necessary for this. We'd just have to refuse to do
the DNS query at all for URLs whose hostname component did not contain a
dot, and/or which was equal to or a suffix of an entry in the public
suffix list.
There's also the fun case of ...
Oh, and me too - when I was in the business of writing highly secure
client applications, the protocol engines were written to be independent
of DNS (yes, we had our own conversions from domain to IP, and our
competitors did that as well).
I thought we were pretty immune until I discovered 30 second blockages
which was eventually traced to Sun's compulsory crypto engine (JCE). It
was doing default DNS resolves on some random name within its startup
code, hitting up against misconfigured local networking. In effect,
Java was saying that unless you are connected to the net with no funny
business, you're not supposed to use crypto.
iang
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
