On 2013-04-15, at 12:00, Jay Ashworth <j...@baylink.com> wrote: > Seems to me that it's a crock because *it should be in the DNS*. > > I should be able to retrieve the AS (administrative split) record > for .co.uk, and there should be one that says, "yup, there's an > administrative split below me; nothing under there is mine unless > you also get an exception record for a subdomain".
I've always quite liked that idea (if we accept for the point of discussion that there are use-cases like cookie naming that make identifying this kind of boundary useful). There's a concern though that there are multiple ways to spoof such a DNS response, and do so in a distributed fashion that might not be easy to detect by an individual client application. If the AS (or whatever) record was signed, that would make things better. But only if you could rely upon clients to validate those responses (or have a sufficiently clean DNS path out that validation was even possible). There's also the question of what to do with a TLD (or other part of the namespace) that doesn't include this record. Some of the zones we're talking about are generated by registry machinery with long software development lifecycles. If your starting point is (a) the records might not be there, (b) we might not be able to find them even if they are there, and (c) if we get them we can't always be sure they are genuine, then the natural conclusion is that you can't rely on the mechanism to work and you look for another answer. If you need the mechanism to work (say you're say a browser vendor who is going to get heat if cookie-leakage causes widespread privacy violations) then I can see why fetching and caching a browser list over SSL (and perhaps shipping with a baseline version of it) seems attractive. And that I guess takes us back to where we are. Joe
