Bare TLD resolutions

[jra at baylink.com (Jay Ashworth)]

---- Original Message -----
> From: "David Conrad" <drc at virtualized.org>

> A common case of name collision is driven by the â??DNS search pathâ??,
> e.g., if you have a â??search pathâ?? of â??bar.com;foo.bar.comâ?? and you
> type â??telnet bazâ??, _some_ resolver libraries will try to resolve
> â??baz.bar.comâ??, if that fails then â??baz.foo.bar.comâ??, if that fails
> then â??baz.â??, if that fails return an error to the user.
> 
> However, the "search pathâ?? algorithm was never fully standardized and
> there are implementations that try â??baz.â?? first (there are even some
> implementations that will split up the path elements, e.g., if
> â??baz.bar.comâ?? fails, the resolver library will try â??baz.comâ??).

Yes; this is what I was talking about.

If I have a machine inside my network called "aero", and I telnet to
it, and for some reason the search path blows it, I might try to
resolve "aero." against the Greater Internet, and if the .aero TLD
*returns an A record*, then I'm in trouble.  Correct?

> In my view, given the lack of standardization and the potential
> security implications, search paths shouldnâ??t be used at all.

True, but not entirely germane to this level of the issue.

> > The latter would seem to be avoidable by making sure that *DNS
> > resolution of bare TLDs always returns NXDOMAIN*.
> 
> It is quite rare that a TLD is queried for directly. Resolver
> libraries generally do not parse the name being queried and send the
> minimum to the authoritative servers. That is, if a resolver is asked
> for â??foo.bar.comâ??, it sends the entire string to the root server and
> gets back a referral to the COM servers â?? it generally does not parse
> â??foo.bar.comâ?? to get the TLD and send â??COMâ?? to the root servers to get
> the referral. This latter behavior is called â??QNAME minimizationâ?? and
> is a good idea for performance and privacy (and other reasons), but
> not yet generally implemented because it is a bit tricky in the
> general case.

Sure, but as you pointed out above, we're not talking about that.

We're talking, largely, about error cases *that used to break as you wanted,
and now might not*.

> > If it isn't, does anyone know of any domains dumb enough to actual
> > return something for a lookup on the bare TLD?
> 
> There are a few ccTLDs that provide apex wildcards: theyâ??ll return an
> â??Aâ?? record for any random goop (.WS is an example), however this
> behavior is banned from gTLDs (an outcome of the SiteFinder debacle).

A records being returned for bare TLDs *is* formally banned?

(Oh: specifically for cctlds.  Got it.)

Citation?

> > Is there actually *any* good reason why a lookup on a bare TLD
> > ("com.") might return a valid record?
> 
> Some of the folks in ICANNâ??s new gTLD program, typically the folks
> whoâ??ve gone for â??brandâ?? TLDs (e.g., .bmw), have argued for whatâ??s
> called â??dotlessâ?? domains: 

Yeah; that's not a "good" reason.  :-)

> > And what about Naomi?
> 
> Never was a big fan of the chair.

Electric Company FTW.

Cheers,
-- jra
-- 
Jay R. Ashworth                  Baylink                       jra at baylink.com
Designer                     The Things I Think                       RFC 2100
Ashworth & Associates       http://www.bcp38.info          2000 Land Rover DII
St Petersburg FL USA      BCP38: Ask For It By Name!           +1 727 647 1274