[dns-operations] dotless domains

Mark Andrews marka at isc.org
Mon Sep 24 07:51:10 UTC 2012


In message <CA+TcGd-6gQ99yAijNCWOwSeAutU0WA=g6SPF6JU60h7BVk5aXQ at mail.gmail.com>, Kyle Creyts writes:
> Logically, shouldn't a right-side dot fix all of this?

No.
 
> If I browse to:
>  http://myname./
> I would expect to get a gTLD, as the right-side dot represents the root.
> 
> If I were to browse to:
>  http://myname/
> I would expect to hit my local definitions, then search domain, then
> fail or hit the browser search.
> 
> Is this a broken view or does it make sense?

It is a broken view.
 
> On Sun, Sep 23, 2012 at 11:51 PM, Mark Andrews <marka at isc.org> wrote:
> >
> > In message <505FE0C6.50206 at dougbarton.us>, Doug Barton writes:
> >> On 09/23/2012 21:07, Mark Andrews wrote:
> >>
> >> > It does if "http://myname" goes to a local machine one day and the
> >> > next day it goes to a tld the next day because "myname" was added
> >> > to the root zone and that zone has A, AAAA or SRV records which
> >> > will be the case if resolvers/browsers are "fixed" to make simple
> >> > names match against tld first, which you suggest is a logical
> >> > consequence of allowing this idiocy to continue.
> >>
> >> I didn't say that was the only solution, maybe the better idea is "test
> >> local resolution first, then add a fully-qualifying dot second." My
> >> point was not, "Here is how to solve the problem," so stop attacking my
> >> poor, harmless straw man. :)  My point was that we are not limited to
> >> the status quo.
> >
> > You then have administators having to check the list of TLDs whenever
> > they add a new machine and rejecting any name that matches a tld
> > to prevent simple -> tld becoming simple -> local.
> >
> > Simple -> TLD + Simple -> local cannot be made to work safely.
> >
> > The best solution would be to acknowledge that this is a security
> > problem and fix gethostbyname, getaddrinfo etc. and browsers never
> > treat a simple name as a tld.  Simple names are locally resolved
> > not globally resolved.
> >
> >> ... and are you saying that if I have foo.example.com, AND I have users
> >> that do http://foo, AND someone creates dot-foo, AND my users then try
> >> to go to my local site and get the TLD instead; that they will be
> >> confused into entering their foo.example password into a form on
> >> dot-foo? Or do I misunderstand?
> >
> > They might.  Not all interfaces are good at showing what you have
> > connected to or even show anything at all.  Think "mail user at myname".
> > Which user gets the email?  The local user or the TLD user?
> >
> >> Doug
> >>
> >> --
> >>
> >>     I am only one, but I am one.  I cannot do everything, but I can do
> >>     something.  And I will not let what I cannot do interfere with what
> >>     I can do.
> >>                       -- Edward Everett Hale, (1822 - 1909)
> > --
> > Mark Andrews, ISC
> > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org
> > _______________________________________________
> > dns-operations mailing list
> > dns-operations at lists.dns-oarc.net
> > https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> > dns-jobs mailing list
> > https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
> 
> 
> 
> -- 
> Kyle Creyts
> 
> Information Assurance Professional
> BSidesDetroit Organizer
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the dns-operations mailing list