Home / News I have a News Tip

Dotless Domains Considered Harmful, Says IAB

In light of recent controversies around the implementation of dotless domains, the Internet Architecture Board (IAB) has released a statement calling the practice harmful. From the executive summary:

* * *

It has come to the attention of the IAB that there are proposals for so-called "dotless" domains in the root zone, and that some existing top-level domains (TLDs) are already operating in such a mode. TLD operators of dotless domains are intending that single label names — those containing no dots — resolve to the TLD itself, rather than be resolved locally, within the context of the local site at which the user resides.

Unfortunately, dotless domains will not work as intended by TLD operators in the vast majority of cases. As recommended by IETF standards track RFCs, existing deployed systems apply a search list to single-label names prior to attempting to resolve them. As a result, the resolution of dotless domains depends on local configuration such as the search list. For example, in a location where "example.com" is included within the search list, the URL http://printer1/ will generate a query for "printer1.example.com", whereas in a location where "example.net" is in the search list, it will generate a query for "printer1.example.net".

This behavior was developed in the DNS precisely because most users entering single-label names want them to be resolved in a local context, and they do not expect a single name to refer to a TLD. The behavior is specified within a succession of standards track documents developed over several decades, and is now implemented by hundreds of millions of Internet hosts. This standard approach enables single-label names to be conveniently used as shortcuts to hosts within a local administration, while also shielding the root zone from a potentially excessive number of queries for single-label names. Since the configuration of the search list has security implications, it is under the control of local host and network administrators, and completely outside the control of TLD operators.

Since dotless domains will not behave consistently across various locations (and applications and platforms that may have different search list configuration mechanisms), they have the potential to confuse users and erode the stability of the global DNS. By attempting to change expected behavior, dotless domains introduce potential security vulnerabilities. These include causing traffic intended for local services to be directed onto the global Internet (and vice-versa), which can enable a number of attacks, including theft of credentials and cookies, cross-site scripting attacks, etc. As a result, the deployment of dotless domains has the potential to cause significant harm to the security of the Internet.

The IAB therefore feels compelled to state the following:

1. The IAB strongly recommends against considering, implementing, or deploying dotless domains.

2. The IAB believes that dotless domains are inherently harmful to Internet security.

3. Applications and platforms that apply a suffix search list to a single-label name are in conformance with IETF standards track RFCs. Furthermore, applications and platforms that do not query DNS for a TLD are in conformance with IETF standards track recommendations intended to minimize security vulnerabilities and reduce load on the root servers.

To read IAB's full statement click here.

Related topics: Cybersecurity, DNS, Domain Names, Policy & Regulation, Top-Level Domains

 
   

Don't miss a thing – get the Weekly Wrap delivered to your inbox.

Comments

To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Dig Deeper

DNS Security

Sponsored by Afilias

Cybersecurity

Sponsored by Verisign

Mobile Internet

Sponsored by Afilias Mobile & Web Services

IP Addressing

Sponsored by Avenue4 LLC

Promoted Posts

Buying or Selling IPv4 Addresses?

ACCELR/8 is a transformative IPv4 market solution developed by industry veterans Marc Lindsey and Janine Goodman that enables organizations buying or selling blocks as small as /20s to keep pace with the evolving demands of the market by applying processes that have delivered value for many of the largest market participants. more»

Industry Updates – Sponsored Posts

Domain Registrations Reach 331.9 Million, 6.7 Million Growth Year over Year

.brands Spotlight: Banking and Finance Industries

Google Buys Business.Site Domain for 'Google My Business'

Radix Announces Global Web Design Contest, F3.space

Global Domain Name Registrations Reach 330.6 Million, 1.3 Million Growth in First Quarter of 2017

.TECH Gets Its Big Hollywood Break

Verisign Named to the Online Trust Alliance's 2017 Audit and Honor Roll

Why the Record Number of Reverse Domain Name Hijacking UDRP Filings in 2016?

Attacks Decrease by 23 Precent in 1st Quarter While Peak Attack Sizes Increase: DDoS Trends Report

UDRP: Better Late than Never - ICA Applauds WIPO for Removing Misguided 'Retroactive Bad Faith'

The Rise and Fall of the UDRP Theory of 'Retroactive Bad Faith'

.PRESS Supports Press Freedom Day for 3rd Consecutive Year

Leading Internet Associations Strengthen Cooperation

5 Afilias Top Level Domains Now Licensed for Sale in China

Radix Announces Largest New gTLD Sale with Casino.Online

2016 Year in Review: The Trending Keywords in .COM and .NET Domain Registrations

Global Domain Name Registrations Reach 329.3 Million, 2.3 Million Growth in Last Quarter of 2016

i2Coalition to Present Tucows CEO Elliot Noss With Internet Community Leadership Award

A Look at How the New .SPACE TLD Has Performed Over the Past 2 Years

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016