> We run our conference server on > conference.jabber.meta.net.nz. This is a > sub.sub.sub.domain.nz, and is probably very common for > companies using jabber outside the US where their domain is > in a CC TLD.
Thanks, that's a good point. The algorithm should be refined to account for international domains. The fix for the IE vulnerability you mentioned was to stop looking up the DNS tree past 3rd level domains in the international case (described at http://www.microsoft.com/technet/security/bulletin/fq99-054.mspx). The fix was *not* to remove the tree walking algorithm completely. I've filed this as a new issue in our tracker: http://www.jivesoftware.org/issues/browse/JM-419 > If you can't afford to go buy a domain name that you fully > control to run your jabber server under, then what kind of > quality to end users are you going to be able to provide? > This may be useful in a test environment, but not on the > production Internet. Again, the issue is that in large organizations managing DNS entries can be a big PITA. :) Just because we're all engineers/admins that are experts at manipulating DNS on our own networks doesn't mean that most users are as well. > now the message gets delivered > to [EMAIL PROTECTED], [EMAIL PROTECTED] isn't anyone at all related > to [EMAIL PROTECTED] No, the packet is addressed to [EMAIL PROTECTED] and not [EMAIL PROTECTED] It definitely won't get delivered to the wrong place unless the server is "evil". See my previous arguments as to why you should trust the whole domain tree if you trust dial-back (not-withstanding the international domain bug that you reported). Regards, Matt
