Bare TLD resolutions
jra at baylink.com
Wed Sep 17 17:36:09 UTC 2014
---- Original Message -----
> From: "David Conrad" <drc at virtualized.org>
> A common case of name collision is driven by the “DNS search path”,
> e.g., if you have a “search path” of “bar.com;foo.bar.com” and you
> type “telnet baz”, _some_ resolver libraries will try to resolve
> “baz.bar.com”, if that fails then “baz.foo.bar.com”, if that fails
> then “baz.”, if that fails return an error to the user.
> However, the "search path” algorithm was never fully standardized and
> there are implementations that try “baz.” first (there are even some
> implementations that will split up the path elements, e.g., if
> ‘baz.bar.com’ fails, the resolver library will try ‘baz.com’).
Yes; this is what I was talking about.
If I have a machine inside my network called "aero", and I telnet to
it, and for some reason the search path blows it, I might try to
resolve "aero." against the Greater Internet, and if the .aero TLD
*returns an A record*, then I'm in trouble. Correct?
> In my view, given the lack of standardization and the potential
> security implications, search paths shouldn’t be used at all.
True, but not entirely germane to this level of the issue.
> > The latter would seem to be avoidable by making sure that *DNS
> > resolution of bare TLDs always returns NXDOMAIN*.
> It is quite rare that a TLD is queried for directly. Resolver
> libraries generally do not parse the name being queried and send the
> minimum to the authoritative servers. That is, if a resolver is asked
> for “foo.bar.com”, it sends the entire string to the root server and
> gets back a referral to the COM servers — it generally does not parse
> “foo.bar.com” to get the TLD and send “COM” to the root servers to get
> the referral. This latter behavior is called “QNAME minimization” and
> is a good idea for performance and privacy (and other reasons), but
> not yet generally implemented because it is a bit tricky in the
> general case.
Sure, but as you pointed out above, we're not talking about that.
We're talking, largely, about error cases *that used to break as you wanted,
and now might not*.
> > If it isn't, does anyone know of any domains dumb enough to actual
> > return something for a lookup on the bare TLD?
> There are a few ccTLDs that provide apex wildcards: they’ll return an
> “A” record for any random goop (.WS is an example), however this
> behavior is banned from gTLDs (an outcome of the SiteFinder debacle).
A records being returned for bare TLDs *is* formally banned?
(Oh: specifically for cctlds. Got it.)
> > Is there actually *any* good reason why a lookup on a bare TLD
> > ("com.") might return a valid record?
> Some of the folks in ICANN’s new gTLD program, typically the folks
> who’ve gone for “brand” TLDs (e.g., .bmw), have argued for what’s
> called “dotless” domains:
Yeah; that's not a "good" reason. :-)
> > And what about Naomi?
> Never was a big fan of the chair.
Electric Company FTW.
Jay R. Ashworth Baylink jra at baylink.com
Designer The Things I Think RFC 2100
Ashworth & Associates http://www.bcp38.info 2000 Land Rover DII
St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274
More information about the NANOG