[dns-operations] root? we don't need no stinkin' root!
m3047 at m3047.net
Wed Nov 27 18:47:10 UTC 2019
I've been following this thread, and I'm well aware of the massive amounts
of NXDOMAIN stuff. I don't know enough about this specific issue.
But there are things which happen in Browser Land which would lead me to
naively conclude the people making browsers don't understand DNS. Two
recent (actually ongoing) examples:
1) Firefox still (years now, although I haven't filed a bug) doesn't
understand that it's perfectly ok to have a trailing dot on an FQDN;
and it serves a purpose. (It's not supposed to be included in the TLS
Host: header though.)
2) In spite of implementing their own DNS resolvers, browsers seem unable
to block domains cloaked by CNAMEs (the third party trackers accessing
first party cookies trope, RPZ works just fine for some odd reason).
On Wed, 27 Nov 2019, Petr Špaček wrote:
>> “Coincidence? I think NOT!”
> FYI there is also an issue about this in their tracker:
As I understand it these are unadorned labels, unit of one. Two
parts to this.
What's Chrome's point with this? They've trained monkeys that URLs are for
Boomers, just type a search string in there. Wild guess here, it goes
something like this:
User types an undotted hostname on their network. Chrome searches and
returns a bunch of shopping and social media sites. Ok, that makes monkeys
upset. Well, we'll go off the reservation (we really hate doing this) and
see if our operating environment resolves it before searching. Oh drat!
The operating environment is doing a search! Some monkeys are upset either
way. Prod Mgr: They're interfering with our search! They don't understand
the one true way! Dev: I think we should agressively probe the operating
environment with garbage, the best defense is a good offense. Prod Mgr:
Let's call it a "friendly" probe and I'm good with it.
Fine, you may not like my personalizations, but is that it? I don't
believe these people are idiots with no knowledge of DNS operation.
To riff off of an old South Park episode, there seems to be a lot of smug
in the air. It's not just one thing. It's a pattern of engineering around
the DNS. Poorly.
Since I don't use Chrome, could somebody please type a local hostname (one
label) with a trailing dot into the thing and see what happens? Nothing
good, I'm sure. Those who know the purpose of the trailing dot will know
that this should outright fail to resolve (probably sends a request to the
root for the label as a TLD).
Since they're already engineering around the DNS and the trailing dot has
been a casualty for some time, would it be unthinkable for them to
repurpose it as a declarative: this label needs to be sent to the
operating environment resolver (without the dot). Search lists...
everybody hates search lists.
Let me put it to you this way: which do you hate more, search lists or
unary labels hitting the roots?
Shouldn't what happens be that they spew their probe at the operating
environment resolver, it appends things from the search list and tries
If there's a shared engineering problem here, isn't it that when these
fail, the resolver tries the naked label? Or tries it first, but in any
case, tries it.
Isn't the proliferation of "valid" TLDs contributing to this embarrassment
of riches by making approaches such as selectively whitelisting TLDs so
increasingly impractical as to obviate consideration?
Should local resolvers reject attempts to resolve single labels as TLDs
I apologize, none of this is fully baked, but the debate doesn't seem to
be encompassing the entirety of the system.
More information about the dns-operations