On 2.2.2018 09:32, Mark Andrews wrote: > This isn’t about whether name servers load A records with non LDH names > as they all can. > > The real question is do the name lookup api’s in the web browsers barf > on non IDN, non LDH names since that is the mechanism being proposed > for people to test this.
Sure. Given that MS AD users underscore A records in its integrated DNS server (at least in older versions), it is going to work with DNS resolver distributed with Windows. This covers 99 % of clients which can potentially be target of potential ad campaign. So, now, we need to test browsers... Talk is cheap, let's get hands dirty! I just tested Firefox 58.0.1 on Fedora 27 URL http://_test.example Result: The Firefox under test issued DNS queries _test.example. A _test.example. AAAA just fine. nsswitch.conf: hosts: files mdns4_minimal [NOTFOUND=return] dns myhostnam I do not have other desktop system at hand, so I will defer other experiments to others. Please do experiments and report your results. Petr Špaček @ CZ.NIC > Mark > >> On 2 Feb 2018, at 6:50 pm, Petr Špaček <petr.spa...@nic.cz> wrote: >> >> On 2.2.2018 07:55, A. Schulze wrote> Paul Hoffman: >>>> My preference is #1 because, in general, a label starting with _ has >>>> been meant for infrastructure, and that's what these labels are. >>>> Others might like #2 so they don't have to add configuration to BIND >>>> (and maybe other authoritative servers). >>> >>> just checked, my NSD and POWERDNS serve A record for _foo.examle. >>> without noise... >>> so: #1 >> >> For the record, I also like more the underscore variant (#1 above). >> >> BIND spits a warning about it and I like it. After all, this whole KSK >> sentinel bussiness is quite specialized thing to do and should be done >> only by people who know what they are doing, so warning is appropriate. >> >> After all, what is your guess about number of zones containing such >> names? 10? 20 zones globally? I cannot see more, and most likely vast >> majority of people who would like to create such zones is following this >> dicussion. >> >> Please do not overcomplicate things. The technology seems okay to me. >> (I've implemented it including tests, see Knot Resolver 2.0.0.) >> Could we polish the text and publish it, pretty please? >> >> >> (BTW I have seen underscore names with A records in Microsoft Active >> Direcotry DNS years ago, so this is not the first time _ A is used.) >> >> -- >> Petr Špaček @ CZ.NIC _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
