Bare TLD resolutions

Jay Ashworth jra at
Wed Sep 17 17:36:09 UTC 2014

---- Original Message -----
> From: "David Conrad" <drc at>

> A common case of name collision is driven by the “DNS search path”,
> e.g., if you have a “search path” of “;” and you
> type “telnet baz”, _some_ resolver libraries will try to resolve
> “”, if that fails then “”, if that fails
> then “baz.”, if that fails return an error to the user.
> However, the "search path” algorithm was never fully standardized and
> there are implementations that try “baz.” first (there are even some
> implementations that will split up the path elements, e.g., if
> ‘’ fails, the resolver library will try ‘’).

Yes; this is what I was talking about.

If I have a machine inside my network called "aero", and I telnet to
it, and for some reason the search path blows it, I might try to
resolve "aero." against the Greater Internet, and if the .aero TLD
*returns an A record*, then I'm in trouble.  Correct?

> In my view, given the lack of standardization and the potential
> security implications, search paths shouldn’t be used at all.

True, but not entirely germane to this level of the issue.

> > The latter would seem to be avoidable by making sure that *DNS
> > resolution of bare TLDs always returns NXDOMAIN*.
> It is quite rare that a TLD is queried for directly. Resolver
> libraries generally do not parse the name being queried and send the
> minimum to the authoritative servers. That is, if a resolver is asked
> for “”, it sends the entire string to the root server and
> gets back a referral to the COM servers — it generally does not parse
> “” to get the TLD and send “COM” to the root servers to get
> the referral. This latter behavior is called “QNAME minimization” and
> is a good idea for performance and privacy (and other reasons), but
> not yet generally implemented because it is a bit tricky in the
> general case.

Sure, but as you pointed out above, we're not talking about that.

We're talking, largely, about error cases *that used to break as you wanted,
and now might not*.

> > If it isn't, does anyone know of any domains dumb enough to actual
> > return something for a lookup on the bare TLD?
> There are a few ccTLDs that provide apex wildcards: they’ll return an
> “A” record for any random goop (.WS is an example), however this
> behavior is banned from gTLDs (an outcome of the SiteFinder debacle).

A records being returned for bare TLDs *is* formally banned?

(Oh: specifically for cctlds.  Got it.)


> > Is there actually *any* good reason why a lookup on a bare TLD
> > ("com.") might return a valid record?
> Some of the folks in ICANN’s new gTLD program, typically the folks
> who’ve gone for “brand” TLDs (e.g., .bmw), have argued for what’s
> called “dotless” domains: 

Yeah; that's not a "good" reason.  :-)

> > And what about Naomi?
> Never was a big fan of the chair.

Electric Company FTW.

-- jra
Jay R. Ashworth                  Baylink                       jra at
Designer                     The Things I Think                       RFC 2100
Ashworth & Associates          2000 Land Rover DII
St Petersburg FL USA      BCP38: Ask For It By Name!           +1 727 647 1274

More information about the NANOG mailing list