Jay Ashworth j...@baylink.com writes:
- Original Message -
From: John Levine jo...@iecc.com
The public suffix list contains points in the DNS where (roughly
speaking) names below that point are under different management from
each other and from that name. It's here:
On 2013-04-19, at 14:17, Bjørn Mork bj...@mork.no wrote:
It is already, isn't it? The NS and SOA records will tell you all there
is to know about zone splits and cross zone relations.
Not really.
In general, just because a zone is served by the same nameservers as another
zone doesn't mean
Joe Abley jab...@hopcount.ca wrote:
If the rule was just the nameservers need to be the same and the SOA
RDATA needs to be the same, for some well-documented meaning of 'same'
then gaming that rule (e.g. for purposes of cookie injection) as a
miscreant is unpleasantly straightforward.
To
On 4/19/2013 12:57 PM, Tony Finch wrote:
To reinforce Joe's point, there doesn't even need to be a zone cut for
there to be an administrative cut. There are various ISPs and dynamic DNS
providers that put all their users in the same zone, and the common suffix
of a zone like this should be
On 4/19/13, Dave Crocker d...@dcrocker.net wrote:
On 4/19/2013 12:57 PM, Tony Finch wrote:
To reinforce Joe's point, there doesn't even need to be a zone cut for
there to be an administrative cut. There are various ISPs and dynamic DNS
providers that put all their users in the same zone, and
If the DS record identifies a different signer, then you have an
administrative split,
or if the e-mail address field in the SOA fields of the parent zone
are different, then you have an administrative split, OR if one of the
two zones has RP (responsible party records), and the list of RP
On 4/19/2013 4:33 PM, Jimmy Hess wrote:
It seems this is more about providing a security function to DNS, to
inform the public, about where the responsible parties change.
Absent a view that somehow says all metadata is a security function, I
don't see how the marking of administrative
On 4/19/13, Dave Crocker d...@dcrocker.net wrote:
On 4/19/2013 4:33 PM, Jimmy Hess wrote:
[snip]
Absent a view that somehow says all metadata is a security function, I
don't see how the marking of administrative boundaries qualifies as a
security function.
The security function comes in
1. Explicitly marking an administrative boundary is not inherently a
'security' function, although properly authorizing and protecting the
marking no doubt would be.
2. Defining a marking mechanism that is built into a security mechanism
that is designed for other purposes is overloading
On 4/19/13, Dave Crocker d...@dcrocker.net wrote:
That is only theoretically possible, if every boundary keeper participates.
In reality, you would wind up with some zones having explicit marking,
and most zones not having any marking at all, just because the admin
didn't bother to pick up on
On Mon, Apr 15, 2013 at 11:34 PM, Geoffrey Keating geo...@geoffk.orgwrote:
They'd really like to have a process which is less ad-hoc. For
example, it'd be great if these points were annotated in the DNS
itself, perhaps with a record which points to the corresponding
whois server
Btw.,
On Apr 15, 2013, at 5:34 PM, Geoffrey Keating wrote:
CAs use it as part of a procedure to determine whether it's safe to
issue a wildcard domain (as in, if it's on the list, it's not safe). See
https://www.cabforum.org/Baseline_Requirements_V1_1_3.pdf, section 11.1.3.
They'd really like
On Mon, Apr 15, 2013 at 3:10 PM, John Levine jo...@iecc.com wrote:
You don't have to tell me that it's a gross crock, but it seems to
be a useful one. What do people use it for? Here's what I know of:
At dnswl.org, we use a heuristic (and manual checks) to derive different
levels of
dnswl.org should look at publicsuffix.org to correct errors.
On Mon, Apr 15, 2013 at 7:55 AM, Matthias Leisi matth...@leisi.net wrote:
On Mon, Apr 15, 2013 at 3:10 PM, John Levine jo...@iecc.com wrote:
You don't have to tell me that it's a gross crock, but it seems to
be a useful one.
- Original Message -
From: John Levine jo...@iecc.com
The public suffix list contains points in the DNS where (roughly
speaking) names below that point are under different management from
each other and from that name. It's here: http://publicsuffix.org/
The idea is that
On 2013-04-15, at 12:00, Jay Ashworth j...@baylink.com wrote:
Seems to me that it's a crock because *it should be in the DNS*.
I should be able to retrieve the AS (administrative split) record
for .co.uk, and there should be one that says, yup, there's an
administrative split below me;
On Apr 15, 2013, at 9:30 AM, Joe Abley jab...@hopcount.ca wrote:
[...]
If you need the mechanism to work (...) then I can see why fetching and
caching a browser list over SSL (and perhaps shipping with a baseline version
of it) seems attractive.
Sounds like this could've been good logic for
They'd really like to have a process which is less ad-hoc. For
example, it'd be great if these points were annotated in the DNS
itself, perhaps with a record which points to the corresponding
whois server.
I've been thinking about a way to do that, but I want to understand the
use cases
John Levine jo...@iecc.com writes:
The public suffix list contains points in the DNS where (roughly
speaking) names below that point are under different management from
each other and from that name. It's here: http://publicsuffix.org/
The idea is that abc.foo.com and xyz.foo.com have the
19 matches
Mail list logo