[dns-operations] Input from dns-operations on NCAP proposal

Brian Dickson brian.peter.dickson at gmail.com
Sat Jun 4 00:19:01 UTC 2022

On Fri, Jun 3, 2022 at 3:17 PM John R Levine <johnl at taugh.com> wrote:

> On Fri, 3 Jun 2022, John Levine wrote:
> >> In such a configuration, if the host name "foo" matches the candidate
> >> "foo", and the latter is changed from NXDOMAIN ...
> > Do we have any idea how many systems still use search lists?  We've been
> saying
> > bad things about them at least since .CS was added in 1991.
> It occurs to me there is another way to look at this.  There are already
> 1487 delegated TLDs, and I doubt anyone could name more than a small
> fraction of them.  If this increases the number of names that will break
> search lists from 1487 to 1488, how much of a problem is this likely to be
> in practice, which leads back to ...
If it was ONLY a progression of 1487->1488, it might not be that bad (but
again, that all depends on what number 1488 actually is.)

What it is actually is an exercise in survivorship bias.
Anyone who might have been impacted by any of the earlier rounds of
expansion, will (likely) have learned their lesson.
That lesson may depend on tribal knowledge, which might not be reliable
enough for any previous victim to not be re-victimized.

Anyone not previously affected may be unaware of the risk their own set-up
places them in, until their choices run up against newly deployed TLDs.

Until the practice or standard/implementation for search-lists is fully
deprecated, the risk will remain, for either new TLDs being deployed or new
host names or naming conventions being deployed.

Unimaginative host names like "mail001" are likely safe.

However, naming hosts after some class of entities, like manufacturers or
fast food companies or even classes of things, will ironically be risky.

The best analogy I can think of is playing "minesweeper" on a huge board,
where the number of mines periodically gets increased, where there are no
signals of adjacent mines (1-8), no flags, and no automatic flooding of
zero-mine areas.
Spots you have clicked on could be subsequently mined, and you lose. It is
an asynchronous race condition, where an external party is making moves
(adding mines) on your behalf.
It would not be considered a "fun" game, IMNSHO.


P.S. Having "ndots:N" for N>0 isn't necessarily safe, either. Any new TLD
that matches an internal namespace component rather than hostname, won't
necessarily be discovered until registrations begin.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20220603/1f3fa74c/attachment.html>

More information about the dns-operations mailing list