On 05/19/2011 12:16 PM, Dave Cridland wrote: Hi Dave,
> But in practise I'm not sure what more we can hope for - the domain name > validated by a browser-based BOSH client will be selected by the > browser. The solution there would be to add an additional record that > can then be used for validation, so we'd have: > > _xmppconnect IN TXT "_xmpp-client-xbosh=https://bosh.jabber.org:5280/bind"; > _xmppconnect IN A 172.16.37.54 > _xmppconnect IN AAAA fe80::1 > > And browsers then ignore the hostname supplied by the _xmppconnect TXT > record and instead use (and therefore validate) the _xmppconnect address > record, which should essentially work. It *is* quite certainly a hack, > though, and I'm quite sure this isn't a finished solution. Do I understand correct that we should then connect to the provided ip address but validate using the /original/ hostname of the XMPP domain we want to connect to? (and not validate using the hostname mentioned in the TXT record?). Interesting, but I don't see how a browser based client can do any DNS lookups. And if it can, I don't see how it can validate against an other domain name. (Which more or less solves the problem: the browser based client can't discover the bosh connector by using DNS, so an rogue DNS record will never be processed by a browser based client). But lets assume we are talking here about a fat client wanting to do BOSH. Maybe we should then add text records for the ip, port and location. Something like: _xmppconnect IN TXT "_xmpp-client-xbosh=https://evil.com:5280/bind"; IN TXT "_xmpp-client-xbosh-A="172.16.37.54" IN TXT "_xmpp-client-xbosh-AAAA="fe80::1" IN TXT "_xmpp-client-xbosh-port="5280" IN TXT "_xmpp-client-xbosh-location="/bind" (first record added for insecure backward compatibility) best wishes, Winfried
