---- Original Message -----
From: "David Conrad" <drc@virtualized.org>
A common case of name collision is driven by the “DNS search path”, e.g., if you have a “search path” of “bar.com;foo.bar.com” and you type “telnet baz”, _some_ resolver libraries will try to resolve “baz.bar.com”, if that fails then “baz.foo.bar.com”, if that fails then “baz.”, if that fails return an error to the user.
However, the "search path” algorithm was never fully standardized and there are implementations that try “baz.” first (there are even some implementations that will split up the path elements, e.g., if ‘baz.bar.com’ fails, the resolver library will try ‘baz.com’).
Yes; this is what I was talking about. If I have a machine inside my network called "aero", and I telnet to it, and for some reason the search path blows it, I might try to resolve "aero." against the Greater Internet, and if the .aero TLD *returns an A record*, then I'm in trouble. Correct?
In my view, given the lack of standardization and the potential security implications, search paths shouldn’t be used at all.
True, but not entirely germane to this level of the issue.
The latter would seem to be avoidable by making sure that *DNS resolution of bare TLDs always returns NXDOMAIN*.
It is quite rare that a TLD is queried for directly. Resolver libraries generally do not parse the name being queried and send the minimum to the authoritative servers. That is, if a resolver is asked for “foo.bar.com”, it sends the entire string to the root server and gets back a referral to the COM servers — it generally does not parse “foo.bar.com” to get the TLD and send “COM” to the root servers to get the referral. This latter behavior is called “QNAME minimization” and is a good idea for performance and privacy (and other reasons), but not yet generally implemented because it is a bit tricky in the general case.
Sure, but as you pointed out above, we're not talking about that. We're talking, largely, about error cases *that used to break as you wanted, and now might not*.
If it isn't, does anyone know of any domains dumb enough to actual return something for a lookup on the bare TLD?
There are a few ccTLDs that provide apex wildcards: they’ll return an “A” record for any random goop (.WS is an example), however this behavior is banned from gTLDs (an outcome of the SiteFinder debacle).
A records being returned for bare TLDs *is* formally banned? (Oh: specifically for cctlds. Got it.) Citation?
Is there actually *any* good reason why a lookup on a bare TLD ("com.") might return a valid record?
Some of the folks in ICANN’s new gTLD program, typically the folks who’ve gone for “brand” TLDs (e.g., .bmw), have argued for what’s called “dotless” domains:
Yeah; that's not a "good" reason. :-)
And what about Naomi?
Never was a big fan of the chair.
Electric Company FTW. Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://www.bcp38.info 2000 Land Rover DII St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274