mailing list archives
Re: What do people use public suffix for?
From: Joe Abley <jabley () hopcount ca>
Date: Mon, 15 Apr 2013 12:30:59 -0400
On 2013-04-15, at 12:00, Jay Ashworth <jra () baylink com> wrote:
Seems to me that it's a crock because *it should be in the DNS*.
I should be able to retrieve the AS (administrative split) record
for .co.uk, and there should be one that says, "yup, there's an
administrative split below me; nothing under there is mine unless
you also get an exception record for a subdomain".
I've always quite liked that idea (if we accept for the point of discussion that there are use-cases like cookie naming
that make identifying this kind of boundary useful).
There's a concern though that there are multiple ways to spoof such a DNS response, and do so in a distributed fashion
that might not be easy to detect by an individual client application. If the AS (or whatever) record was signed, that
would make things better. But only if you could rely upon clients to validate those responses (or have a sufficiently
clean DNS path out that validation was even possible).
There's also the question of what to do with a TLD (or other part of the namespace) that doesn't include this record.
Some of the zones we're talking about are generated by registry machinery with long software development lifecycles.
If your starting point is (a) the records might not be there, (b) we might not be able to find them even if they are
there, and (c) if we get them we can't always be sure they are genuine, then the natural conclusion is that you can't
rely on the mechanism to work and you look for another answer.
If you need the mechanism to work (say you're say a browser vendor who is going to get heat if cookie-leakage causes
widespread privacy violations) then I can see why fetching and caching a browser list over SSL (and perhaps shipping
with a baseline version of it) seems attractive.
And that I guess takes us back to where we are.