[dns-operations] dotless domains

Kyle Creyts kyle.creyts at gmail.com
Mon Sep 24 07:00:40 UTC 2012


(I do realize that this may be outside of the scope of this
conversation, but I really think people should be strongly encouraged
to use the dot at the end.)

On Sun, Sep 23, 2012 at 11:58 PM, Kyle Creyts <kyle.creyts at gmail.com> wrote:
> Logically, shouldn't a right-side dot fix all of this?
>
> If I browse to:
>  http://myname./
> I would expect to get a gTLD, as the right-side dot represents the root.
>
> If I were to browse to:
>  http://myname/
> I would expect to hit my local definitions, then search domain, then
> fail or hit the browser search.
>
> Is this a broken view or does it make sense?
>
>
> On Sun, Sep 23, 2012 at 11:51 PM, Mark Andrews <marka at isc.org> wrote:
>>
>> In message <505FE0C6.50206 at dougbarton.us>, Doug Barton writes:
>>> On 09/23/2012 21:07, Mark Andrews wrote:
>>>
>>> > It does if "http://myname" goes to a local machine one day and the
>>> > next day it goes to a tld the next day because "myname" was added
>>> > to the root zone and that zone has A, AAAA or SRV records which
>>> > will be the case if resolvers/browsers are "fixed" to make simple
>>> > names match against tld first, which you suggest is a logical
>>> > consequence of allowing this idiocy to continue.
>>>
>>> I didn't say that was the only solution, maybe the better idea is "test
>>> local resolution first, then add a fully-qualifying dot second." My
>>> point was not, "Here is how to solve the problem," so stop attacking my
>>> poor, harmless straw man. :)  My point was that we are not limited to
>>> the status quo.
>>
>> You then have administators having to check the list of TLDs whenever
>> they add a new machine and rejecting any name that matches a tld
>> to prevent simple -> tld becoming simple -> local.
>>
>> Simple -> TLD + Simple -> local cannot be made to work safely.
>>
>> The best solution would be to acknowledge that this is a security
>> problem and fix gethostbyname, getaddrinfo etc. and browsers never
>> treat a simple name as a tld.  Simple names are locally resolved
>> not globally resolved.
>>
>>> ... and are you saying that if I have foo.example.com, AND I have users
>>> that do http://foo, AND someone creates dot-foo, AND my users then try
>>> to go to my local site and get the TLD instead; that they will be
>>> confused into entering their foo.example password into a form on
>>> dot-foo? Or do I misunderstand?
>>
>> They might.  Not all interfaces are good at showing what you have
>> connected to or even show anything at all.  Think "mail user at myname".
>> Which user gets the email?  The local user or the TLD user?
>>
>>> Doug
>>>
>>> --
>>>
>>>     I am only one, but I am one.  I cannot do everything, but I can do
>>>     something.  And I will not let what I cannot do interfere with what
>>>     I can do.
>>>                       -- Edward Everett Hale, (1822 - 1909)
>> --
>> Mark Andrews, ISC
>> 1 Seymour St., Dundas Valley, NSW 2117, Australia
>> PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org
>> _______________________________________________
>> dns-operations mailing list
>> dns-operations at lists.dns-oarc.net
>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>> dns-jobs mailing list
>> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
>
>
>
> --
> Kyle Creyts
>
> Information Assurance Professional
> BSidesDetroit Organizer



-- 
Kyle Creyts

Information Assurance Professional
BSidesDetroit Organizer



More information about the dns-operations mailing list