Date: Sun, 16 Nov 2014 19:18:22 -0800 From: Paul Hoffman <paul.hoffman@vpnc.org> To: Jamie Landeg-Jones <jamie@dyslexicfish.net> Cc: freebsd-security@freebsd.org, freebsd-stable@freebsd.org Subject: Re: Potential security issues with new top level domains? Message-ID: <9848F63A-D88F-4A8A-A15B-E2B5D4A5939C@vpnc.org> In-Reply-To: <201411170238.sAH2cLXQ062439@dyslexicfish.net> References: <201411170238.sAH2cLXQ062439@dyslexicfish.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Nov 16, 2014, at 6:38 PM, Jamie Landeg-Jones <jamie@dyslexicfish.net> = wrote: > Yes, the 'A' returned is invalid in this case, but what's to say this > will be the case with all future new TLDs? It will be the case for the first 90 days for all new TLDs that have = three or more letters in their names; it will probably not be true for = new TLDs with two letters in their name. > I realise the spec is being followed correctly, Yes. > but it still seems wrong > to me that any 'host' related resource types resolve for an address at = the > top level, and I was wondering what others thought about it? The spec is being followed correctly, and there are many other TLDs that = do this: see <https://tools.ietf.org/html/rfc7085>. > Should the FreeBSD resolver ignore / not make such requests? >=20 > Should instead the functionality be built into unbound/named etc.? >=20 > Should instead TLD owners be banned from adding such records? (this = still > could be abused though) No, no, and no. As you say above, the spec is being followed. You can = mitigate your misuse of the DNS: = <https://www.icann.org/en/system/files/files/name-collision-mitigation-01a= ug14-en.pdf>. --Paul Hoffman (a long-time FreeBSDer who co-wrote the above RFC, and also wrote the = ICANN report)=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9848F63A-D88F-4A8A-A15B-E2B5D4A5939C>