Re: [DNSOP] Public Suffix List

Ted Lemon <> Wed, 11 June 2008 16:15 UTC

Return-Path: <>
Received: from [] (localhost []) by (Postfix) with ESMTP id 8CB473A67B2; Wed, 11 Jun 2008 09:15:31 -0700 (PDT)
Received: from localhost (localhost []) by (Postfix) with ESMTP id D5F513A67E6 for <>; Wed, 11 Jun 2008 09:15:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -5.979
X-Spam-Status: No, score=-5.979 tagged_above=-999 required=5 tests=[AWL=-0.620, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, SARE_LWSHORTT=1.24]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id OvX9bCjDOXHK for <>; Wed, 11 Jun 2008 09:15:28 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id ED0653A67AD for <>; Wed, 11 Jun 2008 09:15:02 -0700 (PDT)
Received: from source ([]) (using TLSv1) by ([]) with SMTP; Wed, 11 Jun 2008 09:15:27 PDT
Received: from ( []) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (Client CN "", Issuer "Go Daddy Secure Certification Authority" (verified OK)) by (Postfix) with ESMTP id 0F08C56860; Wed, 11 Jun 2008 09:15:27 -0700 (PDT) (envelope-from
Received: from [] ( by ( with Microsoft SMTP Server (TLS) id; Wed, 11 Jun 2008 09:15:26 -0700
Message-ID: <>
From: Ted Lemon <>
To: Gervase Markham <>
In-Reply-To: <>
MIME-Version: 1.0 (Apple Message framework v924)
Date: Wed, 11 Jun 2008 11:15:24 -0500
References: <> <> <> <> <> <> <> <> <> <> <>
X-Mailer: Apple Mail (2.924)
Subject: Re: [DNSOP] Public Suffix List
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit

On Jun 11, 2008, at 6:26 AM, Gervase Markham wrote:
> It's not true that we won't work on any other solution. This is what  
> we
> have now, and there have been no alternative proposals which (to my
> mind) look like producing anything workable in the short term.

Putting the list in the DNS instead of in the browser isn't  
workable?   Serious question.   I think several proposals have been  
advanced here that /could/ work.   Mine has the virtue of being  
completely under your control.   The other one, where subdomains are  
called out in the zones of the domains that contain them, is not under  
your control, and wouldn't be a good interim solution, but sounds like  
a good long-term solution because it puts correctness in the hands of  
the people who suffer or benefit from it.

So what I would personally like to see here is a staged transition.    
In the first stage, would set up a TLD list in its own DNS  
space, or in some new subdomain they register with good anycast  
replication so that no individual server has to bear the entire  
load.   This list would be maintained by, using  
information from registries and domain owners, and also using your  
current ad-hoc system.

But you'd also implement the system that was proposed here where the  
registries themselves can publish this information in their own  
domains.   And over time, the hope would be that the number of TLDs  
you'd have to maintain in your list would slowly dwindle, to the point  
where it would become more of a quirks list than a registry of its  
own.  This could work because the incentives are in the right  
direction - sites that have problems with your ad-hoc registry can  
either contact you or fix their own DNS, and fixing their own DNS may  
well be easier.

I haven't heard you responding that either of these solutions wouldn't  
work, so I'm assuming they would, but perhaps I'm wrong.   It also may  
be the case that for reasons of practicality you need to start with a  
list embedded in the browser; as long as you have a plan to make the  
transition to a list that's maintained more dynamically, and as long  
as you actually execute that plan, it seems to me that this is harmless.

BTW, thanks for your reasoned responses to all these questions and  
accusations being thrown at you.   You seem to have really elicited a  
lot of energetic response with your initial request, and I hope that  
something good will come of it.

DNSOP mailing list