[dns-operations] dotless domains

Jim Reid jim at rfc1035.com
Sun Sep 23 08:57:59 UTC 2012

On 23 Sep 2012, at 09:38, Fred Morris wrote:

> I don't understand this entire debate. I am sorry. Can somebody please
> frame it?

Read the SSAC report: http://www.icann.org/en/groups/ssac/documents/sac-053-en.pdf 

> So what, exactly, *is* the security implication?

There are many. You even mention some of them yourself. The short  
answer is the behaviour of much application software (and stub  
resolvers) is unpredictable and/or broken whenever they are presented  
with a domain name which does not contain a dot. Amongst other things,  
this can mean DNS lookups for QNAMEs which are not the same as that  
original single label => getting directed to the wrong location or  
being told that something doesn't exist when it actually does or vice  
versa. Read that SSAC report.

More information about the dns-operations mailing list