[174509] in North American Network Operators' Group
Re: Bare TLD resolutions
daemon@ATHENA.MIT.EDU (Jay Ashworth)
Wed Sep 17 13:36:22 2014
X-Original-To: nanog@nanog.org
Date: Wed, 17 Sep 2014 13:36:09 -0400 (EDT)
From: Jay Ashworth <jra@baylink.com>
To: NANOG <nanog@nanog.org>
In-Reply-To: <323CB74D-8B3C-4E7D-BEC3-99BBBFA080B6@virtualized.org>
Errors-To: nanog-bounces@nanog.org
---- Original Message -----
> From: "David Conrad" <drc@virtualized.org>
> A common case of name collision is driven by the =E2=80=9CDNS search path=
=E2=80=9D,
> e.g., if you have a =E2=80=9Csearch path=E2=80=9D of =E2=80=9Cbar.com;foo=
.bar.com=E2=80=9D and you
> type =E2=80=9Ctelnet baz=E2=80=9D, _some_ resolver libraries will try to =
resolve
> =E2=80=9Cbaz.bar.com=E2=80=9D, if that fails then =E2=80=9Cbaz.foo.bar.co=
m=E2=80=9D, if that fails
> then =E2=80=9Cbaz.=E2=80=9D, if that fails return an error to the user.
>=20
> However, the "search path=E2=80=9D algorithm was never fully standardized=
and
> there are implementations that try =E2=80=9Cbaz.=E2=80=9D first (there ar=
e even some
> implementations that will split up the path elements, e.g., if
> =E2=80=98baz.bar.com=E2=80=99 fails, the resolver library will try =E2=80=
=98baz.com=E2=80=99).
Yes; this is what I was talking about.
If I have a machine inside my network called "aero", and I telnet to
it, and for some reason the search path blows it, I might try to
resolve "aero." against the Greater Internet, and if the .aero TLD
*returns an A record*, then I'm in trouble. Correct?
> In my view, given the lack of standardization and the potential
> security implications, search paths shouldn=E2=80=99t be used at all.
True, but not entirely germane to this level of the issue.
> > The latter would seem to be avoidable by making sure that *DNS
> > resolution of bare TLDs always returns NXDOMAIN*.
>=20
> It is quite rare that a TLD is queried for directly. Resolver
> libraries generally do not parse the name being queried and send the
> minimum to the authoritative servers. That is, if a resolver is asked
> for =E2=80=9Cfoo.bar.com=E2=80=9D, it sends the entire string to the root=
server and
> gets back a referral to the COM servers =E2=80=94 it generally does not p=
arse
> =E2=80=9Cfoo.bar.com=E2=80=9D to get the TLD and send =E2=80=9CCOM=E2=80=
=9D to the root servers to get
> the referral. This latter behavior is called =E2=80=9CQNAME minimization=
=E2=80=9D and
> is a good idea for performance and privacy (and other reasons), but
> not yet generally implemented because it is a bit tricky in the
> general case.
Sure, but as you pointed out above, we're not talking about that.
We're talking, largely, about error cases *that used to break as you wanted=
,
and now might not*.
> > If it isn't, does anyone know of any domains dumb enough to actual
> > return something for a lookup on the bare TLD?
>=20
> There are a few ccTLDs that provide apex wildcards: they=E2=80=99ll retur=
n an
> =E2=80=9CA=E2=80=9D record for any random goop (.WS is an example), howev=
er this
> behavior is banned from gTLDs (an outcome of the SiteFinder debacle).
A records being returned for bare TLDs *is* formally banned?
(Oh: specifically for cctlds. Got it.)
Citation?
> > Is there actually *any* good reason why a lookup on a bare TLD
> > ("com.") might return a valid record?
>=20
> Some of the folks in ICANN=E2=80=99s new gTLD program, typically the folk=
s
> who=E2=80=99ve gone for =E2=80=9Cbrand=E2=80=9D TLDs (e.g., .bmw), have a=
rgued for what=E2=80=99s
> called =E2=80=9Cdotless=E2=80=9D domains:=20
Yeah; that's not a "good" reason. :-)
> > And what about Naomi?
>=20
> Never was a big fan of the chair.
Electric Company FTW.
Cheers,
-- jra
--=20
Jay R. Ashworth Baylink jra@baylink.=
com
Designer The Things I Think RFC 2=
100
Ashworth & Associates http://www.bcp38.info 2000 Land Rover =
DII
St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1=
274
