Home / News

Dotless Domains Considered Harmful, Says IAB

In light of recent controversies around the implementation of dotless domains, the Internet Architecture Board (IAB) has released a statement calling the practice harmful. From the executive summary:

* * *

It has come to the attention of the IAB that there are proposals for so-called "dotless" domains in the root zone, and that some existing top-level domains (TLDs) are already operating in such a mode. TLD operators of dotless domains are intending that single label names — those containing no dots — resolve to the TLD itself, rather than be resolved locally, within the context of the local site at which the user resides.

Unfortunately, dotless domains will not work as intended by TLD operators in the vast majority of cases. As recommended by IETF standards track RFCs, existing deployed systems apply a search list to single-label names prior to attempting to resolve them. As a result, the resolution of dotless domains depends on local configuration such as the search list. For example, in a location where "example.com" is included within the search list, the URL http://printer1/ will generate a query for "printer1.example.com", whereas in a location where "example.net" is in the search list, it will generate a query for "printer1.example.net".

This behavior was developed in the DNS precisely because most users entering single-label names want them to be resolved in a local context, and they do not expect a single name to refer to a TLD. The behavior is specified within a succession of standards track documents developed over several decades, and is now implemented by hundreds of millions of Internet hosts. This standard approach enables single-label names to be conveniently used as shortcuts to hosts within a local administration, while also shielding the root zone from a potentially excessive number of queries for single-label names. Since the configuration of the search list has security implications, it is under the control of local host and network administrators, and completely outside the control of TLD operators.

Since dotless domains will not behave consistently across various locations (and applications and platforms that may have different search list configuration mechanisms), they have the potential to confuse users and erode the stability of the global DNS. By attempting to change expected behavior, dotless domains introduce potential security vulnerabilities. These include causing traffic intended for local services to be directed onto the global Internet (and vice-versa), which can enable a number of attacks, including theft of credentials and cookies, cross-site scripting attacks, etc. As a result, the deployment of dotless domains has the potential to cause significant harm to the security of the Internet.

The IAB therefore feels compelled to state the following:

1. The IAB strongly recommends against considering, implementing, or deploying dotless domains.

2. The IAB believes that dotless domains are inherently harmful to Internet security.

3. Applications and platforms that apply a suffix search list to a single-label name are in conformance with IETF standards track RFCs. Furthermore, applications and platforms that do not query DNS for a TLD are in conformance with IETF standards track recommendations intended to minimize security vulnerabilities and reduce load on the root servers.

To read IAB's full statement click here.

Related topics: DNS, Domain Names, Policy & Regulation, Security, Top-Level Domains

 
   
WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Industry Updates – Sponsored Posts

MarkMonitor Takes a Look at Progress on New gTLD Program in Latest Report

Priority Access Program for Verisign's First IDN New gTLD, .コム

Minds + Machines Group Expands Into Chinese Market

Dyn Weighs In On Whois

New .PET Domain Sunrise Period Begins January 19

Minds + Machines Adds .boston to geo-TLD Portfolio

.CO Hits 2 Million Domains as Premium Sales Surge

Season's Greetings - 2015 End of Year Message from DotConnectAfrica

Neustar's Career Site Launched Under Its Own Branded TLD: 'careers.neustar'

Data Volumes and Network Stress to Be Top IoT Concerns

DKIM for ESPs: The Struggle of Living Up to the Ideal

Radix Closes Holiday Sales With Over 35K Paid Registrations

Another Tech Leader Joins .tech

Radix's .ONLINE Fastest to Sell 100,000 Domains

.PRO Domains Now Available to All

Computerworld Names Afilias' Ram Mohan a Premier 100 Technology Leader

Verisign Mitigates More Attack Activity in Q3 2015 Than Any Other Quarter During Last Two Years

Protect Your Privacy - Opt Out of Public DNS Data Collection

The ".law" Domain Gains Momentum Throughout the Legal Profession

Verisign & Forrester Webinar: Defending Against Cyber Threats in Complex Hybrid-Cloud Environments

Sponsored Topics