[dns-operations] Monday rant againt the uses of the Public Suffix List

Colm MacCárthaigh colm at stdlib.net
Mon Jan 21 23:01:08 UTC 2013


On Mon, Jan 21, 2013 at 2:14 PM, Vernon Schryver <vjs at rhyolite.com> wrote:
> It might also be worth noting that the original complaint in
> https://lists.dns-oarc.net/pipermail/dns-operations/2013-January/009634.html
> was about Google Apps instead of browsers.  Why would Google Apps
> care about the PSL list?

AppEngine, which depends on Google Apps accounts, supports wildcard
sub-domains;

https://developers.google.com/appengine/docs/domain#wildcard

If Google allowed you to register *.com with Google apps, then your
apps would be able to capture typos or latent traffic, where another
domain owner may have already created their CNAME to google apps, but
forgotten to configure the account yet.

For similar reasons, Certificate authorities take precautions when
signing wildcard certificates, to ensure that the level of the domain
being signed is appropriate. If a CA were to give Nominet a
certificate for *.co.uk - that would be a problem. But giving me
*.stdlib.net certificate is fine, even though it's the same number of
dots.

So in theses cases, the suffix lists are used to help protect privacy.

-- 
Colm



More information about the dns-operations mailing list