<<<
Chronological Index
>>> <<<
Thread Index
>>>
Re: Fwd: [ga] Public Comments Requested on DNS Stability: The Effect of New gTLDs on ,the Internet Domain Name System
- To: Dominik Filipp <dominik.filipp@xxxxxxxx>
- Subject: Re: Fwd: [ga] Public Comments Requested on DNS Stability: The Effect of New gTLDs on ,the Internet Domain Name System
- From: Karl Auerbach <karl@xxxxxxxxxxxx>
- Date: Mon, 11 Feb 2008 01:43:29 -0800
OK, you got me on the trailing /. However, last time I noticed (I think
it was a couple of months ago) the absence of a trailing slash caused
some browser/webserver combinations (firefox/apache) to go through a
redirect sequence.
For real "fun" with domain names one can create names that are legit per
the basic DNS standard but which trip over the character set limitations
(a-z, A-Z, 0-9, and non-leading hyphen) that may or may not apply
depending on what the name is being used for and what software is being
used.
And they can be hidden from the user by mapping 'em via CNAME records.
For example, consider the name "maps-to-nonascii.cavebear.com" - give it
a try - it goes via a CNAME record to another name,
"non-ascii-chars\015\012\.\000end.cavebear.com" that has an A record
attached.
Those internal non-ascii characters tend to drive certain
implementations of gethostbyname() into the weeds (like, for instance,
the version on Linux.)
(One can also cause confusion by embedding dot characters into a DNS
label itself - the DNS protocol itself does not carry those dots we use
in the human [and zone file] representations, so it is possible to have
dot characters inside labels. However, a lot of utility library code
doesn't carry the labels around as length based strings and uses dots as
separators. That kind of ambiguity, especially when handled differently
by security code and application code, can be a source of security gaps.)
I've always wondered what might happen to certain kinds of machines if
there were a DNS label that went to a CNAME that was "del /F /Q C:\*.*"
What I'm getting at is this - there are lots of ways of generating names
that will cause trouble.
Rules that focus on simplistic problems - such as banning .php or .pdf
as top level domains - are inadequate and protect only against a tiny
portion of the latent possibilities.
Rather than banning such TLDs it might be better for ICANN to publish a
zone full of really pathological names - like my non-ascii and
label-with-dots examples - and set it up like the W3C html tester and
say to the world "If your resolver code can't gracefully hanle this then
it's broken."
It's better to fix the roof than try to prevent the rain - and it is
equally better to convince programmers to write better DNS code than it
is to try to find and ban all possible troublesome DNS character strings.
--karl--
--karl--
<<<
Chronological Index
>>> <<<
Thread Index
>>>
|