In message <20130716150721.gg29...@mip.aaaaa.org>, Ofer Inbar writes: > > >>What this brings to mind is that we used to have implicit DNS domain > > >>search in the early days of DNS. When edu.com accidentally hijacked > > >>a huge chunk of the Internet, most of the net very quickly got rid of > > >>implicit search, and we got the explicit DNS search feature that many > > >>people are discussing now. > > > > > >Yes. > > > > Can you (or Ofer) define how you're using the terms "explicit" and > > "implicit" in terms of DNS search, and what their relevance is to the > > topic of dotless domains? And no, I'm not being snarky, I think part of > > the problem here is a fundamental misunderstanding of how the vast > > majority of hosts are configured currently. > > You're not being snarky, but that indicates that you seem to have > missed my point, which is not about the technical details of how > domain search got changed after the edu.com disaster. My point is > not to make a direct parallel between how domain search changed, and > dotless domains, and you seem to be looking at it in that light. > > What this brings to mind is that we had a DNS system that was > vulnerable to the addition of something to the DNS that people had > expected nobody would make the mistake of doing, but it happened and > caused damage, and the net reacted by altering how DNS software works > in order to protect against that damage. At the time, the obvious > defensive change was "don't do implicit domain search". If dotless > domains cause damage as many people here predict, what I'm saying is > that I think we'll react similarly, and that I guess the defensive > change people will widely deploy is to reject A/AAAA/MX records at > the top level. > > You really do not need to drill into the specifics of the change from > implicit to explicit domain search in reaction to edu.com, in this > context. So it sounds to me like you have something quite different > in mind. I don't know what you think I was trying to say - it's not > anything I said explicitly, so perhaps you think I was trying to > subtly say something between the lines. To be clear: I wasn't. > -- Cos
It was more than implicit to explicit. It was also trying domains with dots "as is" first. Domains with perids were treated as fully qualified until proved otherwise. Unqualified domains were qualified then tried "as is" if a match was not found. It is bad to treat domains with periods as partially qualified. It is bad to treat domains without periods as qualified. Note it is also more than A, AAAA and MX record at the tld label. It is also SRV records where they are used with a base name in a host context. _http._tcp.tld/SRV is equally bad as tld/A where as _whois._tcp.tld/SRV would not be a issue as it would point to the whois service for names that end in .tld. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
