On Jun 12, 2008, at 8:26 AM, Yngve Nysaeter Pettersen wrote: > > - Behind (very) closed firewalls, where all access go through a > HTTP-only > proxy. No DNS for external addresses is available. For that matter, > when > going through a proxy you have no way of knowing if the DNS > available to > you know anything about the address space you are accessing through > the > proxy. > > - On a number of systems, in particular phone devices, the > application > does not even have access to DNS to do a name lookup, it must > specify the > hostname, and try to connect.
Ouch. That's really painful. For those devices I think you'd have to fall back to tunneling the DNS request over an HTTP channel. > Additionally, a DNS-only solution would mean implementing a DNS client > inside the application, since AFAICT the platform socket APIs > usually do > not provide the necessary functionality needed to access non-IPaddress > data. I think Mozilla already has its own DNS resolver. It might need to be enhanced to support DNSSEC if it doesn't already. The ISC has a resolver you can use that's under the BSD license. The resolver isn't very big. So I think this is a non-issue. I can see why you're resisting doing it this way. It does make for more work. But what I'd be worried about if you *don't* do it this way is that you're going to wind up making a mistake in your static list that's not going to get corrected in time, and somebody's going to run into an issue that gets you dinged for another stupid security complaint. And even though it was the fault of the site that allowed the bogus cookie, you're still going to get all the bad publicity. With a just-in-time lazy lookup scheme, you can be much more responsive. _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
