| ▲ | JdeBP 5 days ago | |
I think that the scenario here is where the queries are explicitly not leaking, and you've raised a red herring. If I understand correctly, the scenario is an internal machine named "george", which is being properly search-pathed and looked up as "george.example.org." with nothing leaking anywhere, becoming vulnerable to Walmart being able to issue certificates in the name "george", because the DNS client library's search pathing is not read out by the layers that simply know the machine as "george". I'm not totally convinced by the premise here that certificate checkers never read out the final fully-qualified domain name from getaddrinfo(). | ||
| ▲ | postquantumfax 3 days ago | parent [-] | |
This isn't a red herring at all. This is DNS resolution and client PKIX implementation. You could fix your whole network to not import anything from outside, ban all BYOD, etc, or you could fire ICANN clowns who think they need to make changes to the reserved list because, why? Money, corruption, self importance? HN is full of people from SaaS startups who in essence want to buy the perfect 900 number. But DNS and delegation goes far deeper than selling one name for $20 and going to other $20 names to store your code and email at other SaaS providers. | ||