[dns-operations] Browser Public suffixes list

Meir Kraushar meir at isoc.org.il
Fri Aug 26 21:43:51 UTC 2022 

Indeed, TLD  xn--4dbrk0ce  was signed and published earlier this year.
As the DNS guy I was sure this is it.
Later on we discovered that browsers have their own lives.
It appears as if firefox and chromium browsers determine if an entered
value is a  domain name or a search value, based on a list called  "PSL",
which is maintained by Mozilla volunteers:
https://publicsuffix.org/
Like I said, this was new to us and frankly very surprising. I think this
xkcd
describes this situation best: https://xkcd.com/2347

So bottom line, browser behavior is not based on DNS resolving, nor by any
IANA list, but rather on the PSL.
As I wrote earlier we have already merged the diff into the list.
The next update of firefox and hopefully chromium based browsers (sept 26),
should contain the updated list.
The only browser we could not find any documentation on this matter is
Apple's safari.
p.s It has nothing to do with right to left scripts.


On Fri, Aug 26, 2022, 22:31 Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:

> On Fri, Aug 26, 2022 at 09:20:00PM +0300, Meir Kraushar wrote:
>
> > Yes the problem is that browsers not aware of a TLD, in this case SAFARI
> > unaware of xn--4dbrk0ce,  do not treat it as a domain.  It won't resolve
> > the given name and go to the address. Instead, it will pass the value to
> > the search engine. This is bad. Most certainly not the desired behavior
> > when launching a new domain.
>
> That's rather odd.  How old is the Safari release you're testing?  The
> TLD is no longer "brand new": DNSSEC/DANE survey data for the TLD shows
> a go-live date in Mar 2021, with DNSSEC signing in May of this year.
>
>         qname     | dnssec |    date
>     --------------+--------+------------
>      xn--4dbrk0ce | f      | 2021-03-18
>      xn--4dbrk0ce | t      | 2022-05-13
>
> If Safari has a built-in list of TLDs, it'd have to have been "baked in"
> at least ~1.5 years ago.
>
> Speaking of DNSSEC, I see you're using NSEC3 with opt-out and 5
> iterations.  Please consider 0 iterations, *no* opt-out and possibly
> empty salt.  See:
>
>     https://www.rfc-editor.org/rfc/rfc9276.html
>
> Indeed when trying: xn--5dbedt4e.xn--4dbrk0ce, also recent Firefox and
> Chrome suggest a search rather than treating it (בדיקה.ישראל) as a
> domain first.
>
> It seems that PSL aside (cookie scope management), the browsers have
> additional rules about which punycode strings they accept as domain
> names.
>
> --
>     Viktor.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20220827/41219316/attachment.html>

More information about the dns-operations mailing list