On Thu, Nov 4, 2021 at 6:54 AM Douglas Foster < dougfoster.emailstanda...@gmail.com> wrote:
> It would be helpful to understand why people want to climb into the > publicsuffix.org list. My guess: An ISP, such as "ISP.TLD" allows > customers to create websites under their parent. They need to be able to > indicate that website JohnSmith.ISP.TLD is independent of website > IvanWatson.ISP.TLD, and therefore cross-site scripting defenses should > treat them as two organizations rather than one. This scenario needs a > flag that says "No alignment for XSS purposes", and the set of names that > need that flag may be very different from the set of names that need a > DMARC non-alignment flag. So a set of feature-specific DNS flags will > indeed be a better long-term design than a simple "I'm a PSL" flag. > > I can't answer whether PSLs will cooperate by publishing DNS entries. My > original suggestion was to specify the flag syntax in the RFC, so that > deployment negotiations can begin, while recommending that implementers use > both. For the same reason that I did not see a threat risk, I would place > greater trust in the DNS entry when it is present, so I would check DNS > first. But I would also check the publicsuffix.org list to handle the > problem of DNS non-participation. > > As a DNS Person, I always prefer a DNS answer, especially if that answer is signed with DNSSEC. But DNSSEC deployment is still not as straightforward and non-dns folks still argue about deploying it. >
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc