[dns-operations] dotless domains
Mark Andrews
marka at isc.org
Mon Sep 24 06:51:46 UTC 2012
In message <505FE0C6.50206 at dougbarton.us>, Doug Barton writes:
> On 09/23/2012 21:07, Mark Andrews wrote:
>
> > It does if "http://myname" goes to a local machine one day and the
> > next day it goes to a tld the next day because "myname" was added
> > to the root zone and that zone has A, AAAA or SRV records which
> > will be the case if resolvers/browsers are "fixed" to make simple
> > names match against tld first, which you suggest is a logical
> > consequence of allowing this idiocy to continue.
>
> I didn't say that was the only solution, maybe the better idea is "test
> local resolution first, then add a fully-qualifying dot second." My
> point was not, "Here is how to solve the problem," so stop attacking my
> poor, harmless straw man. :) My point was that we are not limited to
> the status quo.
You then have administators having to check the list of TLDs whenever
they add a new machine and rejecting any name that matches a tld
to prevent simple -> tld becoming simple -> local.
Simple -> TLD + Simple -> local cannot be made to work safely.
The best solution would be to acknowledge that this is a security
problem and fix gethostbyname, getaddrinfo etc. and browsers never
treat a simple name as a tld. Simple names are locally resolved
not globally resolved.
> ... and are you saying that if I have foo.example.com, AND I have users
> that do http://foo, AND someone creates dot-foo, AND my users then try
> to go to my local site and get the TLD instead; that they will be
> confused into entering their foo.example password into a form on
> dot-foo? Or do I misunderstand?
They might. Not all interfaces are good at showing what you have
connected to or even show anything at all. Think "mail user at myname".
Which user gets the email? The local user or the TLD user?
> Doug
>
> --
>
> I am only one, but I am one. I cannot do everything, but I can do
> something. And I will not let what I cannot do interfere with what
> I can do.
> -- Edward Everett Hale, (1822 - 1909)
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations
mailing list