On 2.2.2018 09:32, Mark Andrews wrote:
> This isn’t about whether name servers load A records with non LDH names
> as they all can.
> The real question is do the name lookup api’s in the web browsers barf
> on non IDN, non LDH names since that is the mechanism being proposed
> for people to test this.

Sure. Given that MS AD users underscore A records in its integrated DNS
server (at least in older versions), it is going to work with DNS
resolver distributed with Windows. This covers 99 % of clients which can
potentially be target of potential ad campaign.

So, now, we need to test browsers...

Talk is cheap, let's get hands dirty!

I just tested Firefox 58.0.1 on Fedora 27
URL http://_test.example

Result: The Firefox under test issued DNS queries
_test.example. A
_test.example. AAAA
just fine.

hosts:      files mdns4_minimal [NOTFOUND=return] dns myhostnam

I do not have other desktop system at hand, so I will defer other
experiments to others.

Please do experiments and report your results.
Petr Špaček  @  CZ.NIC

> Mark
>> On 2 Feb 2018, at 6:50 pm, Petr Špaček <petr.spa...@nic.cz> wrote:
>> On 2.2.2018 07:55, A. Schulze wrote> Paul Hoffman:
>>>> My preference is #1 because, in general, a label starting with _ has
>>>> been meant for infrastructure, and that's what these labels are.
>>>> Others might like #2 so they don't have to add configuration to BIND
>>>> (and maybe other authoritative servers).
>>> just checked, my NSD and POWERDNS serve A record for _foo.examle.
>>> without noise...
>>> so: #1
>> For the record, I also like more the underscore variant (#1 above).
>> BIND spits a warning about it and I like it. After all, this whole KSK
>> sentinel bussiness is quite specialized thing to do and should be done
>> only by people who know what they are doing, so warning is appropriate.
>> After all, what is your guess about number of zones containing such
>> names? 10? 20 zones globally? I cannot see more, and most likely vast
>> majority of people who would like to create such zones is following this
>> dicussion.
>> Please do not overcomplicate things. The technology seems okay to me.
>> (I've implemented it including tests, see Knot Resolver 2.0.0.)
>> Could we polish the text and publish it, pretty please?
>> (BTW I have seen underscore names with A records in Microsoft Active
>> Direcotry DNS years ago, so this is not the first time _ A is used.)
>> -- 
>> Petr Špaček  @  CZ.NIC

DNSOP mailing list

Reply via email to