Should host/domain names travel over the internet with a trailing dot?
Valdis.Kletnieks at vt.edu
Valdis.Kletnieks at vt.edu
Tue Feb 26 18:12:53 UTC 2013
On Mon, 25 Feb 2013 19:07:20 -0600, Jimmy Hess said:
> If the domain in a certificate were not interpreted as a FQDN by the
> client, this would mean, that the certificate for
> CN=bigbank.example.com
> might be used to authenticate a connection to https://bigbank.example.com
> which do the local resolver search order, is in fact a DNS lookup of
> bigbank.example.com.intranet.example.com
>
> Which might be captured by a Wildcard A record for *.com found in
> the intranet.example.com. zone and pointed to a server
> containing a phishing attack against bigbank.example.com; with a
> DNS cache poisoned by a false negative cache NXDOMAIN entry for
> bigbank.example.com.
I am *sooo* tempted to say "I recommend my competitors do DNS lookups this way"
:)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 865 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20130226/48e7db44/attachment.sig>
More information about the NANOG
mailing list