Generic TLDs Threaten Name Collisions and Information Leakage

CowboyRobot writes "As the Internet Corporation for Assigned Names and Numbers (ICANN) continues its march toward the eventual approval of hundreds, if not more than 1,000, generic top-level domains (gTLDs), security experts warn that some of the proposed names could weaken network security at many companies. Two major issues could cause problems for companies: If domain names that are frequently used on a company's internal network — such as .corp, .mail, and .exchange — become accepted gTLDs, then organizations could inadvertently expose data and server access to the Internet. In addition, would-be attackers could easily pick up certificates for domains that are not yet assigned and cache them for use in man-in-the-middle attacks when the specific gTLD is deployed." Another way to look at it: why were they using invalid domains in the first place?

That's why I have been giving my internal

[ls671]

That's why I have been giving my internal domains silly like .zyxprivnet for at least 15 years...

It would be nice to reserve some domain names for internal use although, just like internal ip addresses.

Re:That's why I have been giving my internal

oh, like .local ? >_>

Re:That's why I have been giving my internal

[TheLink]

I actually tried to get a TLD reserved for "RFC1918" style use about 12+ years ago: http://tools.ietf.org/html/draft-yeoh-tldhere-01

I also tried the ICANN but they weren't interested either. And when they approved stuff like .biz, .info. I got the impression they weren't really interested in improving the Internet from a technical aspect but more interested in $$$$. Did the creation of .biz etc really help the Internet that much?

Maybe others may have more success trying it now?

This is a BS article and masks the real issue

[tlambert]

This is a BS article.

The main concern incluse using internal gTLDs for internal use. In the article, they call this a "split brain DNS". When I wrote the IETF Draft, we called it "split horizon DNS". Implementing it requires specific modifications to a DNS server so that it can be both a forwarding server and an authoritative server at the "." level, and there is practically no DNS server out there which implements it. Certainly, the top 4 don't. In addition, browser completion into ".com" by default means that any typo will take you outside the company, so it's an idiotic example anyway.

The real issue is that if there are 1000 TLDs, all the companies that stupidly equate the DNS namespace with the trademark namespace will, in order to "defend their trademarks" feel they have to register their trademarks as domain names with 1000's of registrars. The don't like this.

As a pointed example, we used to maintain the top level DNS servers for free; it was a volunteer thing, and Paul Vixie did most of the work. Then the idiots at Dupont went off and registered over 400 domains in a single day, and that was it; that was too much work to expect the volunteers to do for free, and so they decided not to do so. Thereafter you paid for registration. Then people decided they could make a good profit at it, and instead of paying for a change to the TLD subdelegation record. And the whole "let's rent domain subdelegations of TLDs instead of selling them was born".

So back to Dupont... 400 domains * 1000 registrars * $30 average per year = $12M

Expect legislation protecting trademarks across all TLDs to follow shortly on this whole fiasco.

Re:I don't like numbers without context . . .

[DriedClexler]

True. At the same time, though, I remember that for a while my favorite site was donotreply.com, where the owner would post emails he got as a result of organizations listing email addresses in the @donotreply.com domain. Apparently, even major security firms made it easy to accidentally reply confidential information to whoever happened to own donotreply.com.