---- Original Message ----- > From: "David Conrad" <d...@virtualized.org>
> A common case of name collision is driven by the “DNS search path”, > e.g., if you have a “search path” of “bar.com;foo.bar.com” and you > type “telnet baz”, _some_ resolver libraries will try to resolve > “baz.bar.com”, if that fails then “baz.foo.bar.com”, if that fails > then “baz.”, if that fails return an error to the user. > > However, the "search path” algorithm was never fully standardized and > there are implementations that try “baz.” first (there are even some > implementations that will split up the path elements, e.g., if > ‘baz.bar.com’ fails, the resolver library will try ‘baz.com’). Yes; this is what I was talking about. If I have a machine inside my network called "aero", and I telnet to it, and for some reason the search path blows it, I might try to resolve "aero." against the Greater Internet, and if the .aero TLD *returns an A record*, then I'm in trouble. Correct? > In my view, given the lack of standardization and the potential > security implications, search paths shouldn’t be used at all. True, but not entirely germane to this level of the issue. > > The latter would seem to be avoidable by making sure that *DNS > > resolution of bare TLDs always returns NXDOMAIN*. > > It is quite rare that a TLD is queried for directly. Resolver > libraries generally do not parse the name being queried and send the > minimum to the authoritative servers. That is, if a resolver is asked > for “foo.bar.com”, it sends the entire string to the root server and > gets back a referral to the COM servers — it generally does not parse > “foo.bar.com” to get the TLD and send “COM” to the root servers to get > the referral. This latter behavior is called “QNAME minimization” and > is a good idea for performance and privacy (and other reasons), but > not yet generally implemented because it is a bit tricky in the > general case. Sure, but as you pointed out above, we're not talking about that. We're talking, largely, about error cases *that used to break as you wanted, and now might not*. > > If it isn't, does anyone know of any domains dumb enough to actual > > return something for a lookup on the bare TLD? > > There are a few ccTLDs that provide apex wildcards: they’ll return an > “A” record for any random goop (.WS is an example), however this > behavior is banned from gTLDs (an outcome of the SiteFinder debacle). A records being returned for bare TLDs *is* formally banned? (Oh: specifically for cctlds. Got it.) Citation? > > Is there actually *any* good reason why a lookup on a bare TLD > > ("com.") might return a valid record? > > Some of the folks in ICANN’s new gTLD program, typically the folks > who’ve gone for “brand” TLDs (e.g., .bmw), have argued for what’s > called “dotless” domains: Yeah; that's not a "good" reason. :-) > > And what about Naomi? > > Never was a big fan of the chair. Electric Company FTW. Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://www.bcp38.info 2000 Land Rover DII St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274