Date: Sun, 16 Nov 2014 19:18:22 -0800 From: Paul Hoffman <paul.hoffman@vpnc.org> To: Jamie Landeg-Jones <jamie@dyslexicfish.net> Cc: freebsd-security@freebsd.org, freebsd-stable@freebsd.org Subject: Re: Potential security issues with new top level domains? Message-ID: <9848F63A-D88F-4A8A-A15B-E2B5D4A5939C@vpnc.org> In-Reply-To: <201411170238.sAH2cLXQ062439@dyslexicfish.net> References: <201411170238.sAH2cLXQ062439@dyslexicfish.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Nov 16, 2014, at 6:38 PM, Jamie Landeg-Jones <jamie@dyslexicfish.net> wrote: > Yes, the 'A' returned is invalid in this case, but what's to say this > will be the case with all future new TLDs? It will be the case for the first 90 days for all new TLDs that have three or more letters in their names; it will probably not be true for new TLDs with two letters in their name. > I realise the spec is being followed correctly, Yes. > but it still seems wrong > to me that any 'host' related resource types resolve for an address at the > top level, and I was wondering what others thought about it? The spec is being followed correctly, and there are many other TLDs that do this: see <https://tools.ietf.org/html/rfc7085>. > Should the FreeBSD resolver ignore / not make such requests? > > Should instead the functionality be built into unbound/named etc.? > > Should instead TLD owners be banned from adding such records? (this still > could be abused though) No, no, and no. As you say above, the spec is being followed. You can mitigate your misuse of the DNS: <https://www.icann.org/en/system/files/files/name-collision-mitigation-01aug14-en.pdf>. --Paul Hoffman (a long-time FreeBSDer who co-wrote the above RFC, and also wrote the ICANN report)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9848F63A-D88F-4A8A-A15B-E2B5D4A5939C>