[dns-operations] dotless domains
Jim Reid
jim at rfc1035.com
Sun Sep 23 08:57:59 UTC 2012
On 23 Sep 2012, at 09:38, Fred Morris wrote:
> I don't understand this entire debate. I am sorry. Can somebody please
> frame it?
Read the SSAC report: http://www.icann.org/en/groups/ssac/documents/sac-053-en.pdf
.
> So what, exactly, *is* the security implication?
There are many. You even mention some of them yourself. The short
answer is the behaviour of much application software (and stub
resolvers) is unpredictable and/or broken whenever they are presented
with a domain name which does not contain a dot. Amongst other things,
this can mean DNS lookups for QNAMEs which are not the same as that
original single label => getting directed to the wrong location or
being told that something doesn't exist when it actually does or vice
versa. Read that SSAC report.
More information about the dns-operations
mailing list