Re: [DNSOP] Public Suffix List

Dean Anderson <> Thu, 12 June 2008 04:03 UTC

Return-Path: <>
Received: from [] (localhost []) by (Postfix) with ESMTP id 3853A3A67A6; Wed, 11 Jun 2008 21:03:03 -0700 (PDT)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 22DF53A67A6 for <>; Wed, 11 Jun 2008 21:03:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.082
X-Spam-Status: No, score=-2.082 tagged_above=-999 required=5 tests=[AWL=-0.083, BAYES_00=-2.599, J_CHICKENPOX_54=0.6]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id aGHzZz3njSAt for <>; Wed, 11 Jun 2008 21:03:00 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 8E0703A6774 for <>; Wed, 11 Jun 2008 21:03:00 -0700 (PDT)
Received: from ( []) (authenticated bits=0) by (8.12.11/8.12.11) with ESMTP id m5C43Hqk011594 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Thu, 12 Jun 2008 00:03:22 -0400
Date: Thu, 12 Jun 2008 00:03:15 -0400 (EDT)
From: Dean Anderson <>
To: Gervase Markham <>
In-Reply-To: <>
Message-ID: <>
MIME-Version: 1.0
Cc: "" <>, David Conrad <>, "" <>
Subject: Re: [DNSOP] Public Suffix List
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit

On Wed, 11 Jun 2008, Gervase Markham wrote:

> Dean Anderson wrote:
> >> That's unfortunate; but I must say this upset was not communicated to me.
> > 
> > Probably that's because you are using SORBS to filter your email. SORBS
> > has an unusually high number of false positives, and for example,
> > falsely claims that that 130.105/16 and 198.3.136/21 are hijacked. You 
> > can find more information about SORBS on
> No-one can have control over and knowledge of everything their ISP does
> with relation to the services they provide. 

Actaully, I looked into the 'Our ISP blocked our mail without our
knowledge' claim. [I'm always interested in the cases where this is
true]. In fact, Mozilla's email is handled by mailservers on
63.245.208/20, which is a /20 assigned to It struck me as
quite odd that quite strange that has 4096 IP addresses, and
that it got this assignment in 2006, under what should have been very
strict usage and allocation rules...I wonder how justifies
4k public IP addresses---Question for a different forum. Anyway, using
SORBS isn't a decision you can blame on your ISP. Its's
mailserver, not an outsourced ISP mailserver. has control
over its email filtering, and it seems likely a admin
configured SORBS. It was not their ISP.  This affects at least my view
of your credibility.

> I confess I've only ever vaguely heard the name SORBS, and had no idea
> that my provider was using it. But I don't believe that using it makes
> me uncontactable. My phone number and address are on my personal web
> page.
> I can hardly imagine some TLD administrator saying "I'm so irritated
> about Firefox's TLD IDN whitelist. I'm going to send Gerv a nasty
> email. Hang on, my email's been rejected. Oh well, I guess I'll just
> have to live with it."

Well, somehow they managed to convey their upset'ness to ICANN, but not
convey that to Mozilla. I don't know exactly why that was.  But people
often don't try very hard to overcome communication problems to tell
someone that they are unreasonably off in the weeds.  A SORBS bounce
would tend to confirm the effort is pointless.

> >> That policy of ours should have no effect whatsoever on TLDs with a
> >> responsible attitude to homographs. Our registration requirements are
> >> not onerous.
> > 
> > ??? This statement doesn't seem very credible. What authority do you
> > have to decide what a 'responsible attitude to homegraphs' would be?  
> What's your answer to that question? (Hint: the answer "no-one" is
> equivalent to the answer "the registries", which has been shown not to
> work. See .)

I don't see that the answer is "no-one", nor that "the registries" has
been shown not to work, as you claim.  However, if you think there is a
problem and you have a solution that should be imposed on the TLDs, you
should take the matter up with ICANN.  Your unilateral exercise is
certainly no solution.

> > doesn't represent the internet industry nor any
> > government or governing organization.
> No, we represent our users, and we make all sorts of security
> decisions for them on a regular basis.

Hmm. Worrisome, given the apparent lack of serious thought put into some
of those "security" decisions, and the lack of credible, serious thought
put into even anti-spam choices, and the blaming of things on your ISP.

> One of the reasons Firefox is popular is precisely because it doesn't
> wimp out of security decisions with user-irritating popup questions
> they have no information to answer.

I also use firefox, but certainly not for those reasons. I use it
because it came with Linux, and it displays HTML pretty reasonably. I
didn't know it might have other dubious agendas hard-coded.

> But, as someone else has said, if people don't like the decisions we
> make, they can either become part of "we" and seek to change them, or
> they can change or build their copy, or can distribute an alternative
> browser.

Actually, I said that. Perhaps others did, too.

> > Why should TLD's think they need to register with
> They don't have to. Why should TLDs think they have an automatic right
> to have Firefox display domains they have issued which allow our users
> to be fooled or defrauded?

You have no justification to form that conclusion. The TLDs aren't
defrauding anyone; The TLDs aren't aiding in the fraud of anyone. And
your scheme isn't even shown to stop fraudulent websites. So
seems to have little to no justification whatsoever for its extremely
unilateral actions.  

The people who register their domains with any certified TLD do have an
automatic right to have Firefox display their websites.  You have no
right to assert they are fraudulent when they aren't and you have no
evidence they are.

I don't get a good feeling about, anymore.  The unrealistic,
unilateral attitude reminds me of other kinds of similar extremism, that
was also found to be unsubstantiated, and a great waste of effort.  
Indeed, the claim of blocking fraud with this scheme, appears to be the
deceptive claim. It reminds me of SPF proponents claims that SPF would
end spam.  Those were similarly false.

But I am beginning to think this thread doesn't really belong on DNSOP
(though it is relevant to TLD DNS operations), but probably should be on
an ICANN list devoted to TLD public policy issues. I have no idea what
list that would be, or if there is such a list.  Not that I oppose
continuing the thread here, but I am concerned that this is an important
public policy topic and the readers of this list are more engineering


Av8 Internet   Prepared to pay a premium for better service?         faster, more reliable, better service
617 344 9000   

DNSOP mailing list