Harald Tveit Alvestrand wrote:
>
> At 09:22 31.05.2000 -0700, Joe Touch wrote:
>
> >It may be useful to distinguish resolver behavior from browser behavior.
> >
> >If the host has no more specific (explicit) resolver information,
> >the current fully-qualified hostname, minus the first component,
> >is used as the 'working suffix'. Attempts are made, with increasing
> >generality, to use this suffix on any partially qualified request.
>
> so far nobody's mentioned RFC 1535, the short summary of which is "this is
> bloodyawfulstupidbehaviour".
>
> If I am out to attack you, and can place a record at ANY position in your
> search path, I can control your offsite name lookups totally.
>
> In the case of someone seaarching
>
> www.netscape.com.dept.other.edu
> www.netscape.com.other.edu
> www.netscape.com.edu
> www.netscape.com
>
> any DNS administrator at dept.other.edu, other.edu or com.edu(!) can
> prevent him from getting to www.netscape.com, instead sending him elsewhere.
Yes. This is can also be changed by how the resolver is configured
(there are overrides, e.g., 'ndots').
RFC 1535 removes only some of those lookups; remaining are:
www.netscape.com.dept.other.edu
www.netscape.com
While RFC 1535 specifies that names including dots SHOULD be
resolved as absolute first, this can be changed by the resolver
configuration. And configuration information can be hard for
users to determine.
The use of the trailing dot (www.netscape.com.) remains
a useful way to force the resolver to avoid suffix extensions.
Joe
