[dns-operations] dotless domains

Kyle Creyts kyle.creyts at gmail.com
Mon Sep 24 06:58:37 UTC 2012 

Logically, shouldn't a right-side dot fix all of this?

If I browse to:
 http://myname./
I would expect to get a gTLD, as the right-side dot represents the root.

If I were to browse to:
 http://myname/
I would expect to hit my local definitions, then search domain, then
fail or hit the browser search.

Is this a broken view or does it make sense?


On Sun, Sep 23, 2012 at 11:51 PM, Mark Andrews <marka at isc.org> wrote:
>
> In message <505FE0C6.50206 at dougbarton.us>, Doug Barton writes:
>> On 09/23/2012 21:07, Mark Andrews wrote:
>>
>> > It does if "http://myname" goes to a local machine one day and the
>> > next day it goes to a tld the next day because "myname" was added
>> > to the root zone and that zone has A, AAAA or SRV records which
>> > will be the case if resolvers/browsers are "fixed" to make simple
>> > names match against tld first, which you suggest is a logical
>> > consequence of allowing this idiocy to continue.
>>
>> I didn't say that was the only solution, maybe the better idea is "test
>> local resolution first, then add a fully-qualifying dot second." My
>> point was not, "Here is how to solve the problem," so stop attacking my
>> poor, harmless straw man. :)  My point was that we are not limited to
>> the status quo.
>
> You then have administators having to check the list of TLDs whenever
> they add a new machine and rejecting any name that matches a tld
> to prevent simple -> tld becoming simple -> local.
>
> Simple -> TLD + Simple -> local cannot be made to work safely.
>
> The best solution would be to acknowledge that this is a security
> problem and fix gethostbyname, getaddrinfo etc. and browsers never
> treat a simple name as a tld.  Simple names are locally resolved
> not globally resolved.
>
>> ... and are you saying that if I have foo.example.com, AND I have users
>> that do http://foo, AND someone creates dot-foo, AND my users then try
>> to go to my local site and get the TLD instead; that they will be
>> confused into entering their foo.example password into a form on
>> dot-foo? Or do I misunderstand?
>
> They might.  Not all interfaces are good at showing what you have
> connected to or even show anything at all.  Think "mail user at myname".
> Which user gets the email?  The local user or the TLD user?
>
>> Doug
>>
>> --
>>
>>     I am only one, but I am one.  I cannot do everything, but I can do
>>     something.  And I will not let what I cannot do interfere with what
>>     I can do.
>>                       -- Edward Everett Hale, (1822 - 1909)
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs



-- 
Kyle Creyts

Information Assurance Professional
BSidesDetroit Organizer

More information about the dns-operations mailing list