[dns-operations] Monday rant againt the uses of the Public Suffix List

Vernon Schryver vjs at rhyolite.com
Mon Jan 21 19:12:50 UTC 2013

> From: Paul Vixie <paul at redbarn.org>

> Stephane Bortzmeyer wrote:

> >> used by numerous software developers, programming languages,
> >> browsers (cookies), search engines, security software, and many
> >> other places.
> >
> > And 95 % of these uses are bad ideas: it creates false positives
> > (.CW...) and false negatives (it's not because .COM exists that
> > anything.com has a meaning).
> passionate +1.

Why is anyone using such lists to validate domain suffixes?  I recently
discovered a global, distributed database with nearby caching that
allows HTTP and SMTP servers to check whether the right hand side of
user at example.com is valid.  It does not require that servers act exactly
miscreants doing dictionary attacks to find spam targets ("sender
address verification") or exactly like spammers sending unsolicited
bulk mail.

Continuing the sarcasm is too much effort, so I'll simply ask why not
do DNS MX and A requests?  (both because of the fall-back-to-A-if-no-MX
rule)  If you get NXDOMAIN or NODATA for both MX and A, you know it
is invalid in an SMTP Rcpt_To command (unless you still believe in
SMTP source routing).  If you get A or MX records, then it is at least
as likely to be valid as a name in other list.

Vernon Schryver    vjs at rhyolite.com

More information about the dns-operations mailing list