From owner-freebsd-security@FreeBSD.ORG Mon Nov 17 03:18:39 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 9C8D7C04; Mon, 17 Nov 2014 03:18:39 +0000 (UTC) Received: from proper.com (Hoffman.Proper.COM [207.182.41.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 73970DE; Mon, 17 Nov 2014 03:18:38 +0000 (UTC) Received: from [10.20.30.90] (142-254-17-111.dsl.dynamic.fusionbroadband.com [142.254.17.111]) (authenticated bits=0) by proper.com (8.14.9/8.14.7) with ESMTP id sAH3INNB056185 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 16 Nov 2014 20:18:24 -0700 (MST) (envelope-from paul.hoffman@vpnc.org) X-Authentication-Warning: proper.com: Host 142-254-17-111.dsl.dynamic.fusionbroadband.com [142.254.17.111] claimed to be [10.20.30.90] Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 8.0 \(1990.1\)) Subject: Re: Potential security issues with new top level domains? From: Paul Hoffman In-Reply-To: <201411170238.sAH2cLXQ062439@dyslexicfish.net> Date: Sun, 16 Nov 2014 19:18:22 -0800 Content-Transfer-Encoding: quoted-printable Message-Id: <9848F63A-D88F-4A8A-A15B-E2B5D4A5939C@vpnc.org> References: <201411170238.sAH2cLXQ062439@dyslexicfish.net> To: Jamie Landeg-Jones X-Mailer: Apple Mail (2.1990.1) X-Mailman-Approved-At: Mon, 17 Nov 2014 03:21:19 +0000 Cc: freebsd-security@freebsd.org, freebsd-stable@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Nov 2014 03:18:39 -0000 On Nov 16, 2014, at 6:38 PM, Jamie Landeg-Jones = wrote: > Yes, the 'A' returned is invalid in this case, but what's to say this > will be the case with all future new TLDs? It will be the case for the first 90 days for all new TLDs that have = three or more letters in their names; it will probably not be true for = new TLDs with two letters in their name. > I realise the spec is being followed correctly, Yes. > but it still seems wrong > to me that any 'host' related resource types resolve for an address at = the > top level, and I was wondering what others thought about it? The spec is being followed correctly, and there are many other TLDs that = do this: see . > Should the FreeBSD resolver ignore / not make such requests? >=20 > Should instead the functionality be built into unbound/named etc.? >=20 > Should instead TLD owners be banned from adding such records? (this = still > could be abused though) No, no, and no. As you say above, the spec is being followed. You can = mitigate your misuse of the DNS: = . --Paul Hoffman (a long-time FreeBSDer who co-wrote the above RFC, and also wrote the = ICANN report)=