On Jan 7, 2025, at 08:33, Brotman, Alex <Alex_Brotman=40comcast....@dmarc.ietf.org> wrote: > > Coding can be done to discover these, but thought I'd ask if there were > something inherent in the protocol that could disclose when a wildcard match > was responsible for the result. Seems like in most cases, there is no such > mechanism.
In writing a different response, I recalled the Mozilla Public Suffix List. https://publicsuffix.org/ Maybe this can help. If I recall, it is supposed to help bound a security decision just as you described. Perhaps telling why the DNS doesn’t have features to make your task easy, there was the DBOUND WG (2014-2017) that concluded, unsuccessfully. https://datatracker.ietf.org/wg/dbound/about/ That won’t necessarily help, but provides some context on why there are (still) no scoping boundaries on Wildcard(TM) name matching, among other things. Because the DNS protocol lacks any exposure of administrative boundaries (you can discover zone boundaries with some effort but that isn’t the same), you need to rely on out of band information. (Maybe DELEG can solve this! ;) ) Ed _______________________________________________ DNSOP mailing list -- dnsop@ietf.org To unsubscribe send an email to dnsop-le...@ietf.org
