On Fri, Feb 2, 2018 at 4:41 AM, Petr Špaček <petr.spa...@nic.cz> wrote:
> On 2.2.2018 09:32, Mark Andrews wrote:
>> This isn’t about whether name servers load A records with non LDH names
>> as they all can.
>> The real question is do the name lookup api’s in the web browsers barf
>> on non IDN, non LDH names since that is the mechanism being proposed
>> for people to test this.
> Sure. Given that MS AD users underscore A records in its integrated DNS
> server (at least in older versions), it is going to work with DNS
> resolver distributed with Windows. This covers 99 % of clients which can
> potentially be target of potential ad campaign.
> So, now, we need to test browsers...

For those who would like to test this, while not having to get their
hands quite as dirty, I've added:
_www     IN CNAME ron.kumari.net
xm--www   IN A
to ksk-test.net, and have updated the JavaScript to test these as well.

On Chome and Safari on both OS X and IOS I get:
These below 2 tests are just for debugging / to understand browser
behavior. You:
were able to fetch the "underscore" record
were able to fetch the "dashdash" record

Surprisingly, on Chrome on Android and Samsung Internet (the browser
on Samsung Galaxy Note devices) I get:
These below 2 tests are just for debugging / to understand browser
behavior. You:
were **NOT** able to fetch the "underscore" record
were able to fetch the "dashdash" record

I must admit that I was not expecting this - can others please also test this?

I personally don't really care what the labels are -- we could make it
I-Heart-KennyG-is-ta-[foo] for all I care[0].

[0]: Note: anyone who suggests a: an emoticon or b: some cute unicode
hack is dead to me.

> Talk is cheap, let's get hands dirty!
> I just tested Firefox 58.0.1 on Fedora 27
> URL http://_test.example
> Result: The Firefox under test issued DNS queries
> _test.example. A
> _test.example. AAAA
> just fine.
> nsswitch.conf:
> hosts:      files mdns4_minimal [NOTFOUND=return] dns myhostnam
> I do not have other desktop system at hand, so I will defer other
> experiments to others.
> Please do experiments and report your results.
> Petr Špaček  @  CZ.NIC
>> Mark
>>> On 2 Feb 2018, at 6:50 pm, Petr Špaček <petr.spa...@nic.cz> wrote:
>>> On 2.2.2018 07:55, A. Schulze wrote> Paul Hoffman:
>>>>> My preference is #1 because, in general, a label starting with _ has
>>>>> been meant for infrastructure, and that's what these labels are.
>>>>> Others might like #2 so they don't have to add configuration to BIND
>>>>> (and maybe other authoritative servers).
>>>> just checked, my NSD and POWERDNS serve A record for _foo.examle.
>>>> without noise...
>>>> so: #1
>>> For the record, I also like more the underscore variant (#1 above).
>>> BIND spits a warning about it and I like it. After all, this whole KSK
>>> sentinel bussiness is quite specialized thing to do and should be done
>>> only by people who know what they are doing, so warning is appropriate.
>>> After all, what is your guess about number of zones containing such
>>> names? 10? 20 zones globally? I cannot see more, and most likely vast
>>> majority of people who would like to create such zones is following this
>>> dicussion.
>>> Please do not overcomplicate things. The technology seems okay to me.
>>> (I've implemented it including tests, see Knot Resolver 2.0.0.)
>>> Could we polish the text and publish it, pretty please?
>>> (BTW I have seen underscore names with A records in Microsoft Active
>>> Direcotry DNS years ago, so this is not the first time _ A is used.)
>>> --
>>> Petr Špaček  @  CZ.NIC
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.

DNSOP mailing list

Reply via email to