Re: [DNSOP] Public Suffix List from Gervase Markham on 2008-06-09 (ietf-http-wg@w3.org from April to June 2008)

From: Gervase Markham <gerv@mozilla.org>
Date: Mon, 09 Jun 2008 12:48:19 +0100
To: Jeroen Massar <jeroen@unfix.org>
CC: dnsop@ietf.org, ietf-http-wg@w3.org
Message-ID: <484D1883.4060002@mozilla.org>

Jeroen Massar wrote:
> [Why not go DNSSEC first instead of solving a problem which is not a
> real problem? See below... ]

I'm not sure that DNSSEC solves the problem we are trying to solve, but
would be happy to be enlightened.

> You are *hard-coding* such a list into a 'product'? You do realize that
> a lot of people simply don't update their software I hope. Unfortunately
> for the OS's that need updating the most those people don't tend to update.

Fortunately, Firefox has an extremely good and fast update and uptake
rate. This is partly because we don't give users a choice about taking
non-major-version updates.

> You might want to consider using at least an RBL-style way for this.
> Though, you will of course hit off on all the privacy folks when you are
> doing another DNS query for www.spooks.gov.rbl.mozilla.org every hit and
> collecting all that information. 

Indeed. This is why this type of scheme is not a runner.

Yngve Pettersen of Opera has suggested something like this in his
internet draft; however, my view is that getting comprehensive buy-in
would take quite a lot more time and effort than this method.
http://www.ietf.org/internet-drafts/draft-pettersen-subtld-structure-03.txt

> How can non-TLD's get into this list!? 

Just by asking; I already got an email from CentralNIC.

> If you are going to push this 'technology', you might want to consider
> doing an SPF-alike test, thus getting that information from the provider
> of the label, or better: fix the cookie standards.

Yngve has several suggestions about how this may be fixed longer-term:
http://my.opera.com/yngve/blog/2008/02/25/refreshed-internet-drafts-0208

However, this is what we have that works here and now.

> And another much better step which I think the rest of this group (as of
> course this message is just and only my personal opinion and not that of
> the group in anyway... that is how the IETF works afterall ;) would
> actually also like is the use of DNSSEC. Which actually tells you that
> the domain you are looking at is really the domain you are requesting
> records from. 

That's a different problem, though. Even if DNSSEC was deployed, it
wouldn't teach browsers about the structure of the DNS.

Gerv

Received on Monday, 9 June 2008 11:51:22 UTC