ICANN opens up Pandora's Box of new TLDs

Roger Marquis marquis at roble.com
Sun Jun 29 21:45:55 UTC 2008

Stephane Bortzmeyer bortzmeyer at nic.fr wrote:
> I am very curious of what tests a "security-aware programmer" can do,
> based on the domain name, which will not be possible tomorrow, should
> ICANN allow a few more TLDs.

The difference between '[a-z0-9\-\.]*\.[a-z]{2-5}' and
'[a-z0-9\-\.]*\.[a-z\-]*' is substantial from a security perspective.
Aside from the IP issues it effectively precludes anyone from defining a
hostname that cannot also be someone else's domain name. It's not too hard
to see the problems with that. An analogous network scenario would be IP
addresses of varying length and without a netmask.

> If you test that the TLD exists... it will still work.

Only if A) you are always online with B) reliable access to the tld's
nameserver/s, and C) can deal with the latency.  In practice this is
often not the case.

> If you test that the name matches (com|net|org|[a-z]{2}), then you are
> not what I would call a "security-aware programmer".

Will you still think that when someone buys the right to the .nic tld and
starts harvesting your queries and query related traffic?  Not that that
doesn't happen now, to a far lesser degree.  But it's the extent to which
this presents new opportunities for black hats that should have given ICANN
pause.  Odds are that RBLs will be among the first targets.

Bottom line is the decision was made for it's _monetization_ value, not
security, and customer service was just a pretense.

Roger Marquis

More information about the NANOG mailing list