Re: [DNSOP] Public Suffix List

Gervase Markham <> Mon, 09 June 2008 11:50 UTC

Return-Path: <>
Received: from [] (localhost []) by (Postfix) with ESMTP id B7C2D3A6A62; Mon, 9 Jun 2008 04:50:30 -0700 (PDT)
Received: from localhost (localhost []) by (Postfix) with ESMTP id D08AE3A6C4C for <>; Mon, 9 Jun 2008 04:50:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.201
X-Spam-Status: No, score=-3.201 tagged_above=-999 required=5 tests=[AWL=-0.732, BAYES_00=-2.599, SARE_RMML_Stock10=0.13]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id mLJ6RabqTFrN for <>; Mon, 9 Jun 2008 04:50:27 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 666883A6A62 for <>; Mon, 9 Jun 2008 04:50:27 -0700 (PDT)
Received: from ([] helo=[]) by with esmtpsa (SSL 3.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.63) (envelope-from <>) id 1K5fpV-0007kg-Ok; Mon, 09 Jun 2008 12:46:50 +0100
Message-ID: <>
Date: Mon, 09 Jun 2008 12:48:19 +0100
From: Gervase Markham <>
User-Agent: Thunderbird 3.0a1 (X11/2008050714)
MIME-Version: 1.0
To: Jeroen Massar <>
References: <> <>
In-Reply-To: <>
X-BlackCat-Spam-Score: -12
Subject: Re: [DNSOP] Public Suffix List
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit

Jeroen Massar wrote:
> [Why not go DNSSEC first instead of solving a problem which is not a
> real problem? See below... ]

I'm not sure that DNSSEC solves the problem we are trying to solve, but
would be happy to be enlightened.

> You are *hard-coding* such a list into a 'product'? You do realize that
> a lot of people simply don't update their software I hope. Unfortunately
> for the OS's that need updating the most those people don't tend to update.

Fortunately, Firefox has an extremely good and fast update and uptake
rate. This is partly because we don't give users a choice about taking
non-major-version updates.

> You might want to consider using at least an RBL-style way for this.
> Though, you will of course hit off on all the privacy folks when you are
> doing another DNS query for every hit and
> collecting all that information. 

Indeed. This is why this type of scheme is not a runner.

Yngve Pettersen of Opera has suggested something like this in his
internet draft; however, my view is that getting comprehensive buy-in
would take quite a lot more time and effort than this method.

> How can non-TLD's get into this list!? 

Just by asking; I already got an email from CentralNIC.

> If you are going to push this 'technology', you might want to consider
> doing an SPF-alike test, thus getting that information from the provider
> of the label, or better: fix the cookie standards.

Yngve has several suggestions about how this may be fixed longer-term:

However, this is what we have that works here and now.

> And another much better step which I think the rest of this group (as of
> course this message is just and only my personal opinion and not that of
> the group in anyway... that is how the IETF works afterall ;) would
> actually also like is the use of DNSSEC. Which actually tells you that
> the domain you are looking at is really the domain you are requesting
> records from. 

That's a different problem, though. Even if DNSSEC was deployed, it
wouldn't teach browsers about the structure of the DNS.

DNSOP mailing list