Mozilla and dotless domains

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Mozilla and dotless domains

Gervase Markham
ICANN are running a consultation on the wisdom or otherwise of
permitting A (and AAAA) records at the top level of the DNS:

 
https://www.icann.org/en/news/public-comment/sac053-dotless-domains-24aug12-en.htm

I propose that Mozilla submit comments saying what a terrible idea this
is. Something along these lines:
http://forum.icann.org/lists/sac053-dotless-domains/msg00029.html

Is anyone interested in drafting something, perhaps taking inspiration
from comments submitted by others? I would expect it to cover the
unreliability and security concerns arising from the conflict with the
use of dotless names as internal names. For bonus points, talk about the
problems with creating TLS certificates for dotless names.

Gerv
_______________________________________________
dev-tech-network mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-network
Reply | Threaded
Open this post in threaded view
|

Re: Mozilla and dotless domains

Ehsan Akhgari
On 2012-09-28 9:20 AM, Gervase Markham wrote:

> ICANN are running a consultation on the wisdom or otherwise of
> permitting A (and AAAA) records at the top level of the DNS:
>
>
> https://www.icann.org/en/news/public-comment/sac053-dotless-domains-24aug12-en.htm
>
>
> I propose that Mozilla submit comments saying what a terrible idea this
> is. Something along these lines:
> http://forum.icann.org/lists/sac053-dotless-domains/msg00029.html
>
> Is anyone interested in drafting something, perhaps taking inspiration
> from comments submitted by others? I would expect it to cover the
> unreliability and security concerns arising from the conflict with the
> use of dotless names as internal names. For bonus points, talk about the
> problems with creating TLS certificates for dotless names.

Out of curiosity, would you please expand a little bit on why this is a
bad idea?

Thanks!
Ehsan

_______________________________________________
dev-tech-network mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-network
Reply | Threaded
Open this post in threaded view
|

Re: Mozilla and dotless domains

Gervase Markham
In reply to this post by Gervase Markham
On 28/09/12 16:02, Ehsan Akhgari wrote:
> Out of curiosity, would you please expand a little bit on why this is a
> bad idea?

Here are some of the reasons.

People expect dotless computer names to be on their intranet.

If someone has the "mail" TLD, and my intranet has a computer called
"mail", then there is potential (if DNS servers are not correctly
configured, which I'm sure they are often not) for my private mail to
get sent to the wrong place by my machine, possibly across international
borders, and possibly causing me to breach confidentiality rules.

In addition, if people want to put an Internet site on http://mail/,
they may well also want https://mail/, which requires issuing a cert for
a dotless name. Again, there is a clash with intranets. Although the CAB
Forum is trying to phase it out, there are a lot of legacy uses for
internal server certs with dotless names, and so anyone can get one.
This means that the Internet https://mail/ could be spoofed by anyone
who pays $20 for such a cert.

DNS is a canonical namespace. The dotless part is the naming equivalent
of "private use" IP addresses. Making them suddenly publicly resolvable
could have all sorts of unexpected consequences.

It's going to be bad enough when someone gets e.g. the TLD ".corp" and
thousands of businesses who had been using that as an unofficial
internal suffix have to reconfigure their networks. But allowing dotless
names to resolve means that there is no namespace which is safe for
internal use _at all_.

Gerv

_______________________________________________
dev-tech-network mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-network
Reply | Threaded
Open this post in threaded view
|

Re: Mozilla and dotless domains

Peter Kasting
On Tue, Oct 2, 2012 at 3:13 AM, Gervase Markham <[hidden email]> wrote:

> On 28/09/12 16:02, Ehsan Akhgari wrote:
>
>> Out of curiosity, would you please expand a little bit on why this is a
>> bad idea?
>
>
In addition to what Gerv notes, there are also problems for browsers which
combine searching and navigating into one control (most of them these days,
and you can configure Firefox to do it although it's not the default UI).
 Users of such interfaces presumably expect that common words in their
language will result in searches, not navigations.

I'm not sure to what degree that kind of consideration is in-scope here.

PK
_______________________________________________
dev-tech-network mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-network
Reply | Threaded
Open this post in threaded view
|

Re: Mozilla and dotless domains

Gervase Markham
In reply to this post by Gervase Markham
On 28/09/12 14:20, Gervase Markham wrote:
> Is anyone interested in drafting something, perhaps taking inspiration
> from comments submitted by others?

Seems no-one else is, so here is my proposal. Comments welcome,
particularly if I'm talking rubbish from a technical perspective!

<start>
Title: Mozilla Response to Dotless Domains Consultation

This submission is sent on behalf of Mozilla, a non-profit organization
whose mission is to "promote openness, innovation and opportunity on the
web". We are particularly concerned with the continued smooth
functioning of the Web in particular and the Internet in general.

Therefore, although we suspect that, for technical reasons, dotless
domains will not work very well for their owners, it is the effect on
users, even those with no relationship with any sites under the TLD in
question, which concerns us.

The DNS' enormous value to mankind is that it is a global namespace - in
other words, in most cases, every name has a single owner. This is
something users are able to understand. However, just as there are areas
of the IP address range reserved for private use (RFC 1918), there are
also areas of the DNS namespace reserved for private use - either by RFC
(RFC 2606) or convention (e.g. .local, used by Zeroconf).

It is our contention that the dotless part of the DNS namespace is /de
facto/, and should be /de jure/, reserved for private use in similar manner.

Countless companies use dotless names for their internal servers.
Dotless names already have a meaning in a local context, and no-one can
tell from the outside what names have meaning where. This is very
similar to the use of the private use IP address ranges. And, just as
creating a routable host on the Internet with IP address 192.168.0.1
would lead to all sorts of undesired effects, so would creating a host
with the global DNS name "home" or "search".

We are particularly concerned about the security implications of dotless
domains. For example, 7 companies have applied for the new TLD "mail".
There must be many thousands of companies running an internal server
called "mail". A poorly-configured DNS server could lead to the sending
of private company email to the servers of the winning applicant.

Mozilla therefore joins the SSAC in being opposed to the idea of
"dotless domains", and we strongly recommend that new gTLD operators be
contractually prohibited from attempting to create them. Mozilla does
not rule out taking steps to ignore such records if their existence is
leading to security or stability problems for users.
<end>

_______________________________________________
dev-tech-network mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-network