[jdev] Second-guessing dns for s2s
Matt Tucker
matt at jivesoftware.com
Sat Sep 24 23:00:09 CDT 2005
> We run our conference server on
> conference.jabber.meta.net.nz. This is a
> sub.sub.sub.domain.nz, and is probably very common for
> companies using jabber outside the US where their domain is
> in a CC TLD.
Thanks, that's a good point. The algorithm should be refined to account
for international domains. The fix for the IE vulnerability you
mentioned was to stop looking up the DNS tree past 3rd level domains in
the international case (described at
http://www.microsoft.com/technet/security/bulletin/fq99-054.mspx). The
fix was *not* to remove the tree walking algorithm completely.
I've filed this as a new issue in our tracker:
http://www.jivesoftware.org/issues/browse/JM-419
> If you can't afford to go buy a domain name that you fully
> control to run your jabber server under, then what kind of
> quality to end users are you going to be able to provide?
> This may be useful in a test environment, but not on the
> production Internet.
Again, the issue is that in large organizations managing DNS entries can
be a big PITA. :) Just because we're all engineers/admins that are
experts at manipulating DNS on our own networks doesn't mean that most
users are as well.
> now the message gets delivered
> to foo at jabber.org, foo at jabber.org isn't anyone at all related
> to foo at nifty.jabber.org.
No, the packet is addressed to foo at nifty.jabber.org and not
foo at jabber.org. It definitely won't get delivered to the wrong place
unless the server is "evil". See my previous arguments as to why you
should trust the whole domain tree if you trust dial-back
(not-withstanding the international domain bug that you reported).
Regards,
Matt
More information about the JDev
mailing list