Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Missing s3-dot entries for multiple AWS regions #1689

Open
INCIBE-CERT opened this issue Jan 20, 2023 · 4 comments
Open

Missing s3-dot entries for multiple AWS regions #1689

INCIBE-CERT opened this issue Jan 20, 2023 · 4 comments
Labels
waiting-followup Blocked for need of follow-up

Comments

@INCIBE-CERT
Copy link

Amazon seems to have moved some time ago from s3 dash region dot amazonaws.com to using s3 dot region dot amazonaws.com

While some entries are present in both forms:

s3-ap-south-1.amazonaws.com
s3.ap-south-1.amazonaws.com
s3-ap-northeast-2.amazonaws.com
s3.ap-northeast-2.amazonaws.com
s3-eu-west-2.amazonaws.com
s3.eu-west-2.amazonaws.com
s3-eu-west-3.amazonaws.com
s3.eu-west-3.amazonaws.com

The following PSL entries only in dash form

s3-ap-northeast-1.amazonaws.com
s3-ap-southeast-1.amazonaws.com
s3-ap-southeast-2.amazonaws.com
s3-ca-central-1.amazonaws.com
s3-eu-central-1.amazonaws.com
s3-eu-west-1.amazonaws.com
s3-sa-east-1.amazonaws.com
s3-us-east-2.amazonaws.com
s3-us-gov-west-1.amazonaws.com
s3-us-west-1.amazonaws.com
s3-us-west-2.amazonaws.com

actually also exist in dot form (even though they are not known to PSL).

We have found them due to actual urls using them (for several months), which were misclassified as e.g. 'foo.s3.ap-northeast-1' subdomain under 'amazonaws.com'; instead of being treated as 'foo' domain under the s3 suffix. A check on other similar entries made us reach the above list.

Only on a few exceptions (s3-external-1, s3-fips-us-gov-west-1, s3-us-gov-west-1) is the dot form not available,

Based on observed behavior and @lawells description on #259, I think almost all s3- and s3-website- entries should actually
also have a corresponding s3. / s3-website. one.

Basically, running
sed -Ei 's/^(s3(-website)?)-([^w].*\.amazonaws.com)$/&\n\1.\3/' public_suffix_list.dat

and removing duplicates.

This is consistent with the description at https://docs.aws.amazon.com/general/latest/gr/rande.html#regional-endpoints that they are using the format protocol://service-code.region-code.amazonaws.com

@aph3rson can you confirm this and incorporate the changes on the next AWS update ?

Thanks
@aph3rson
Copy link
Contributor

@INCIBE-CERT thanks for the notice - a teammate of mine responded to your email prior. I'm including our emailed response here for posterity:

Thanks for reaching out. We are tracking this internally with the S3 team and will update the Github issue once we have a PR issued with the external PSL maintainers.

@dnsguru
Copy link
Member

dnsguru commented Feb 26, 2023

@aph3rson can this and #1600 (the perpetual draft) be closed until such time as AWS internally sorts this all out and has something to submit ?

@dnsguru dnsguru added the waiting-followup Blocked for need of follow-up label Feb 27, 2023
@aph3rson
Copy link
Contributor

aph3rson commented Mar 8, 2023

@dnsguru Feel free to close this issue from @INCIBE-CERT, as we're currently tracking this issue internally.
We plan to include the necessary changes within the next submitted batch of zones within #1600.

@aph3rson aph3rson mentioned this issue Mar 8, 2023
Merged
@dnsguru
Copy link
Member

dnsguru commented Mar 8, 2023

OK thanks for the update @aph3rson - this will close automagically with #1600 once it gets updated and merged

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
waiting-followup Blocked for need of follow-up
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dnsguru @aph3rson @INCIBE-CERT