[dns-operations] root? we don't need no stinkin' root!

Fred Morris m3047 at m3047.net
Wed Nov 27 18:47:10 UTC 2019 

I've been following this thread, and I'm well aware of the massive amounts 
of NXDOMAIN stuff. I don't know enough about this specific issue.

But there are things which happen in Browser Land which would lead me to 
naively conclude the people making browsers don't understand DNS. Two 
recent (actually ongoing) examples:

1) Firefox still (years now, although I haven't filed a bug) doesn't
    understand that it's perfectly ok to have a trailing dot on an FQDN;
    and it serves a purpose. (It's not supposed to be included in the TLS
    Host: header though.)

2) In spite of implementing their own DNS resolvers, browsers seem unable
    to block domains cloaked by CNAMEs (the third party trackers accessing
    first party cookies trope, RPZ works just fine for some odd reason).

On Wed, 27 Nov 2019, Petr Špaček wrote:
>> [...]
>> “Coincidence? I think NOT!” 
>> 
>> https://youtu.be/MDpuTqBI0RM?t=53
>
> FYI there is also an issue about this in their tracker:
> https://bugs.chromium.org/p/chromium/issues/detail?id=946450#c1

As I understand it these are unadorned labels, unit of one. Two 
parts to this.


What's Chrome's point with this? They've trained monkeys that URLs are for 
Boomers, just type a search string in there. Wild guess here, it goes 
something like this:

User types an undotted hostname on their network. Chrome searches and 
returns a bunch of shopping and social media sites. Ok, that makes monkeys 
upset. Well, we'll go off the reservation (we really hate doing this) and 
see if our operating environment resolves it before searching. Oh drat! 
The operating environment is doing a search! Some monkeys are upset either 
way. Prod Mgr: They're interfering with our search! They don't understand 
the one true way! Dev: I think we should agressively probe the operating 
environment with garbage, the best defense is a good offense. Prod Mgr: 
Let's call it a "friendly" probe and I'm good with it.

Fine, you may not like my personalizations, but is that it? I don't 
believe these people are idiots with no knowledge of DNS operation.

To riff off of an old South Park episode, there seems to be a lot of smug 
in the air. It's not just one thing. It's a pattern of engineering around 
the DNS. Poorly.

Since I don't use Chrome, could somebody please type a local hostname (one 
label) with a trailing dot into the thing and see what happens? Nothing 
good, I'm sure. Those who know the purpose of the trailing dot will know 
that this should outright fail to resolve (probably sends a request to the 
root for the label as a TLD).

Since they're already engineering around the DNS and the trailing dot has 
been a casualty for some time, would it be unthinkable for them to 
repurpose it as a declarative: this label needs to be sent to the 
operating environment resolver (without the dot). Search lists... 
everybody hates search lists.


Let me put it to you this way: which do you hate more, search lists or 
unary labels hitting the roots?

Shouldn't what happens be that they spew their probe at the operating 
environment resolver, it appends things from the search list and tries 
those?

If there's a shared engineering problem here, isn't it that when these 
fail, the resolver tries the naked label? Or tries it first, but in any 
case, tries it.

Isn't the proliferation of "valid" TLDs contributing to this embarrassment 
of riches by making approaches such as selectively whitelisting TLDs so 
increasingly impractical as to obviate consideration?

Should local resolvers reject attempts to resolve single labels as TLDs 
unless RD=0?


I apologize, none of this is fully baked, but the debate doesn't seem to 
be encompassing the entirety of the system.

--

Fred Morris

More information about the dns-operations mailing list