DNS name service provider is installed in the extension directory and currently granted with AllPermission. A service provider implementation should need SocketPermission and not need AllPermission.
The prototype to change the permissions for dnsns.jar uncovers a circular problem in networking security when performing a security check, SocketPermission will first resolve a name to get the IP address. When there is a DNS nameservice provider not with AllPermission, checking the SocketPermission will iterate each name service provider to get address (in this case it's the DNSNameService) that triggers another socket permission check. When it used to have AllPermission, the socket permission check was fast-path and I think it's the first time running into this problem when we change the permissions for dnsns.jar.
This is to follow up to evaluate the permissions required by DNS name service provider.