• Home
  • About Us
  • Contact
  • Advertise
  • Awards
  • Privacy Policy
  • Twitter
  • Facebook
  • RSS
TheDomains.com

Internet Architecture Board: Dotless Domains May “Cause Significant Harm To The Security of the Internet”

July 11, 2013 by Michael Berkens

The Internet Architecture Board, has come out strongly against Dotless Domains as proposed by Google to operate the .Search new gTLD.

“It has come to the attention of the IAB that there are proposals for so-called “dotless” domains in the root zone, and that some existing top-level domains (TLDs) are already operating in such a mode.

“TLD operators of dotless domains are intending that single label names — those containing no dots — resolve to the TLD itself, rather than be resolved locally, within the context of the local site at which the user resides.

“Unfortunately, dotless domains will not work as intended by TLD operators in the vast majority of cases.

“As recommended by IETF standards track RFCs, existing deployed systems apply a search list to single-label names prior to attempting to resolve them. As a result, the resolution of dotless domains depends on local configuration such as the search list. For example, in a location where “example.com” is included within the search list, the URL http://printer1/ will generate a query for “printer1.example.com”, whereas in a location where “example.net” is in the search list, it will generate a query for “printer1.example.net”.

“This behavior was developed in the DNS precisely because most users entering single-label names want them to be resolved in a local context, and they do not expect a single name to refer to a TLD. The behavior is specified within a succession of standards track documents developed over several decades, and is now implemented by hundreds of millions of Internet hosts. This standard approach enables single-label names to be conveniently used as shortcuts to hosts within a local administration, while also shielding the root zone from a potentially excessive number of queries for single-label names.

“Since the configuration of the search list has security implications, it is under the control of local host and network administrators, and completely outside the control of TLD operators.

“Since dotless domains will not behave consistently across various locations (and applications and platforms that may have different search list configuration mechanisms), they have the potential to confuse users and erode the stability of the global DNS. By attempting to change expected behavior, dotless domains introduce potential security vulnerabilities. These include causing traffic intended for local services to be directed onto the global Internet (and vice-versa), which can enable a number of attacks, including theft of credentials and cookies, cross-site scripting attacks, etc. As a result, the deployment of dotless domains has the potential to cause significant harm to the security of the Internet.

“The IAB therefore feels compelled to state the following:

  1. The IAB strongly recommends against considering, implementing, or deploying dotless domains.
  2. The IAB believes that dotless domains are inherently harmful to Internet security.
  3. Applications and platforms that apply a suffix search list to a single-label name are in conformance with IETF standards track RFCs. Furthermore, applications and platforms that do not query DNS for a TLD are in conformance with IETF standards track recommendations intended to minimize security vulnerabilities and reduce load on the root servers.””

Filed Under: New gTLD's

About Michael Berkens

Michael Berkens, Esq. is the founder and Editor-in-Chief of TheDomains.com. Michael is also the co-founder of Worldwide Media Inc. which sold around 70K domain to Godaddy.com in December 2015 and now owns around 8K domain names . Michael was also one of the 5 Judges selected for the the Verisign 30th Anniversary .Com contest.

« UDRP Complainant Agrees To Buy Quirk.com For $85K; Backs Out: Now Loses UDRP
Body.com Sells On Godaddy.com For $380,000 »

Comments

  1. jp says

    July 11, 2013 at 12:39 pm

    Speaking as a giant computer nerd, this pretty much kills dotless domains.

  2. +++ Picti.US +++ says

    July 11, 2013 at 1:39 pm

    why not TLD-less domains?

  3. pheenix says

    July 11, 2013 at 7:11 pm

    With all the comments against dotless domains, where are all the comments in agreement for dotless domains?

    Tan


Recent Articles

  • Sedo now offering 6 more payment options
  • NameJet/SnapNames May 2022 domain sales led by Vip.org
  • Sedo weekly domain sales led by Yachts.com

Recent Comments

  • FX on Move over Web3 hype here comes Web5
  • steven on JoeRogan.net expires closes at $52,000 at GoDaddy auctions
  • Mark Thorpe on JoeRogan.net expires closes at $52,000 at GoDaddy auctions
  • brian on JoeRogan.net expires closes at $52,000 at GoDaddy auctions
  • Cheetah Cowboy on Sedo weekly domain name sales led by Marathon.de

Polls

How Many .Web Domains Will Be Registered 1 Year After Launch

View Results

Loading ... Loading ...
  • Polls Archive

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Categories

Archives

domain name news

Copyright ©2019 TheDomains.com — Published by Worldwide Media, Inc. — Site by Nuts and Bolts Media