ICANN Considers Using '127.0.53.53' To Tackle DNS Namespace Collisions

angry tapir writes "As the number of top-level domains undergoes explosive growth, the Internet Corporation for Assigned Names and Numbers (ICANN) is studying ways to reduce the risk of traffic intended for internal network destinations ending up on the Internet via the Domain Name System. Proposals in a report produced on behalf of ICANN include preventing .mail, .home and .corp ever being Internet TLDs; allowing the forcible de-delegation of some second-level domains in emergencies; and returning 127.0.53.53 as an IP address in the hopes that sysadmins will flag and Google it."

hacky

[dmitrygr]

Seems like a very hacky solution...

Re:hacky

[DrPBacon]

ICANT think of anything better.

Re:hacky

ICANT think of anything better.

ICANN!

Re:hacky

[hcs_$reboot]

That solution is indeed hacky. But if the LAN is correctly setup, the collisions should be minimal. I.e. on a "home" workstation, named something like "linux.home", that very station identifies itself and if the other LAN members communicate with "linux.home" an entry is supposed to be already present in "hosts" (like) files - and, usually, "hosts" file resolution takes precedence over DNS. For bigger implementations a DNS server or equivalent should be in place, and forward the unknown domains to external (Internet) DNS - again, their local config should contain an entry for the ".home" zone, preventing an external resolution.

Is returning 127.0.53.53 instead of NOT FOUND a good idea? Not sure about that, since, for instance, a browser will say "Cannot connect to..." instead of "Domain not found" - which is actually the correct error message. The real problem is when the domain+subdomain exist on the Internet, users will process information from the wrong site instead of the intranet one

Of course all IT teams will have to be DNS competent - which is currently not (always) the case ...

Re:hacky

What makes you think that a browser getting a 127.0.53.53 won't return a meaningful and very descriptive error? It is a special case worth flagging if ever their was one.

Re:hacky

[MichaelSmith]

DNS server or equivalent should be in place, and forward the unknown domains to external (Internet) DNS - again, their local config should contain an entry for the ".home" zone, preventing an external resolution.

Yeah but legitimate queries for the external linux.home won't work.

Re:hacky

[WaffleMonster]

But if the LAN is correctly setup, the collisions should be minimal.

I'm sorry the Internet is a production network. Time for amateur hour expired with the 20th century. We don't get to make assumptions out of ignorance anymore.

Is returning 127.0.53.53 instead of NOT FOUND a good idea? Not sure about that, since, for instance, a browser will say

When I type http://127.0.53.53/ into my browser I get a web site hosted on my computer. The entire 127/8 acts as a loopback not just 127.0.0.1. Quite a bit more problematic than "Cannot connect to..."

Re:hacky

[fuzzyfuzzyfungus]

Once you start down the dark path... Forever will it dominate your destiny.

It's not as though TLDs were ever a particularly shining moment in the history of information classification; but, after the remnant factions of the Ontology wars (remember when URLs were totally going to express useful data about the world and whatnot by being insufferably long and hierarchical?) retired or were driven into hiding, they mostly slumped, if more by erosion than sound structural engineering, into a vaguely safe and predictable structure.

And then they decided that it was just sickeningly adequate as it was and they started grafting on... things... things that should not be...in places that out not to have things there. Nothing could possibly go wrong. And oh boy, does it look like it will, good and hard.

Re:hacky

[jawtheshark]

if the other LAN members communicate with "linux.home" an entry is supposed to be already present in "hosts" (like) files

Host files? Are you serious? Nobody outside the tech world uses those and even the techs don't use it except for very very specific cases. For the normal users there is DNS-SD (Zeroconf) and anybody more technical is better off simply setting up a DNS server with authoritative zone for the local network (Which is why I hate these new TLDs... My domain of choice might be sold someday and I'll have to give it up using locally... having to use the boring .local or .home), with the added benefit of having a real DNS server on site becoming totally independent of the ISP DNS (well, unless you want to make a forwarding one).

This is a problem of their making. The generic TLDs shouldn't ever have been introduced.

Re:hacky

It may not even say "Cannot connect to". 127.0.53.53 is in the 127/8 range, reserved for localhost. On some systems, only 127.0.0.1 works for localhost, but nothing prevents a system from using the entire range for localhost.

So rather than getting an error, when server1.here lacks a host file entry for server2.here, you will be connecting to server1.here. So, from server1.here, "ping server2.here" will show that the network works. Browsing to "http://server2.here/" will show the start page of server1.here. If that's the default page, or the two servers are being setup to run some kind of load balancing - thus having the same content - the resulting confusion can be very hard to figure out.

Re:hacky

[hcs_$reboot]

I'm sorry the Internet is a production network. Time for amateur hour expired with the 20th century

I'm sorry, I feel the time for amateur hours exploded in the 21th century. Competency was diluted among the many so-called experts answering the huge demand of engineers. It seems in bigger companies IT management is confined to ensure IT services work fine - meaning in most cases implement the fewer changes as possible - "don't fix what isn't broken". Most teams are not used anymore to hacking, customizing, improving, innovating. When something a bit trickier than usual rears its nose on the horizon, they're lost. DNS implementation is one of these trickier thing.

Re: hacky

Answering the call for engineers or "web developers"?

Re:hacky

[therealkevinkretz]

If you have a local authoritative server, why will you have to give up your local domain? (unless you actually want to access the new rightful owner's network)

Re:hacky

[jawtheshark]

Why? Because it's only authoritative for the local domain of course. I do also have public authoritative DNS servers, but I don't want them to serve private IP addresses. So, at home my domain is called simply "sharks" (buying that goes like, what? 50k€). It is not public, but authoritative locally. Now, of course, I could take one of the domains I own, and use that. I don't really like that idea. My hosts are named after shark species, so you have mako.sharks, hammerhead.sharks, etc... mako.jawtheshark.com really isn't the same.

Perhaps it makes it slightly clearer. Contrary to popular belief, an authoritative server does not need to be authoritative for the public internet. Locally is just fine. Just don't use stuff that clashes with the public DNS system.

Re:hacky

If anyone can, ICANN can

Re:hacky

[jawtheshark]

I need to read better. You understood fully what I meant... The possibility of a clash is real and very very annoying.

Re:hacky

[DarkOx]

The problem really isn't so much not being able to reach some.home, on the internal network or even something.home on the Internet when you already have a local .home. zone.

The problem is all the uncounted config files out there with unqualified or partially qualified names in them. The RFCs are not entirely clear on what the correct behavior is, and worse the web browser folks have decided to implement the behavior differently themselves in some cases, rather than use the system nss services/apis.

So if you imagine an environment where DHCP configures a list of DNS search suffixes, and one of those is something like us.example.com or something. How the Windows boxes interpret a query mobile.mail (note no trailing dot) will possibly be different than the way the Linux machines do, and different than what the OS X machines do, etc and what Chrome or Firefox decide to do might be different than what nslookup does even on the same machine!

Its going to be nightmarish from a support and troubleshooting perspective, and lets face it nobody on your PC tech team really understands DNS, your network admins probably have a good handle but some major blind spots, and your developers are accustomed to making what are now dangerous assumptions. I am not sure I fully understand DNS on most days.

This is going to be a support nightmare at least at some sites, even some places where the ONLY sin was not using FQDNs everywhere all the time. Which might have deliberate, perhaps not the best way to have gone about it but knowing how search domains operate, and being able to set them with DHCP is entirely possible and like someone architect-ed mobile systems getting a local resource by depending on that behavior.

There are all kinds of potential security problems too. The gTLD expansion is making the Internet both less reliable and less safe.

Re:hacky

[DarkOx]

Right its a good idea to expect every application developer everywhere to put a special case test into their code see if the value in the buffer after a call to gethostbyname is 127.0.53.53 rather than just checking the return code and using the value directly or not based on the return code. Doing this means a new branch in every new app, for no real reason; It means odd behavior in old/not updated code that expects to either successfully resolve and address or not.

Case in point someone introduced a hostname into our DNS recently that caused a major application to break. Turned out there was a stale config entry for a hostname that no longer existed. As long as it had been getting back NXDOMIN things hummed along nicely, it just tried the next host in its list from a config file. When someone added that name back it, it started trying to connect to the new server ( which did not run the application it was expecting and did not listen on that port ) this would cause long timeouts on login while it tried and retried the other server. I grant this was a configuration error, someone should have cleaned that old config file, but there are situations like laptops where this might not be the case. Inside your organization .mail might exist as a zone, take the machine home and CustomAPP might work fine today getting NXDOMIN and switching to a local database or trying a different public hostname etc, now its going get back 127.0.53.53 and quite likely not know what to do; when the service isn't there.

No its patently stupid for the name resolution system to return BAD data. If something like .mail is not allocated or de-alocated than it does not exist, and NXDOMIN is what a public DNS system should return. The meaning is clear.

Re:hacky

Assuming it involves enough industry 'incentives' of course

Re:hacky

[Antique+Geekmeister]

It's spelled NXDOMAIN, by the way.

NXDOMAIN has not been a reliable response for invalid DNS queries for roughly 15 years. Look into the history of the "*.com" DNS entry in Verisign's root servers for the .com domain, which were returning valid Verisign owned hosts. And look carefully at the DNS proxy setups of major home network services, which often return their domain sales web pages instead of "NXDOMAIN" for invalid DNS entries.

Given that the data has _already_ been corrupted, this seems a reasonable attempt to broaden what is now done with "example.com". It also has the benefit that it's not auto-activated in default Kerberos configurations, a bit of behavior that genuinely alarms me in most default Kerberos setups and which few configuration tools have the ability to remove.

Re:hacky

[jafiwam]

Returning 127.0.53.53 makes a lot of sense if you put up an ad-farm parking page on it to make a bunch of fake money with ad impressions.

Double bonus points when the "service" gets sold to a bottom feeder who's ad-network gets infected, ending up trying to spread viruses with fake "you are infected!" pop up windows.

Re:hacky

[Stalks]

How do you put up a parking page that listens on loopback?

Re: hacky

This entire proposal makes no sense and sounds like a bunch of clueless morons sat around a table and discussed it, when their techs asked or answered their questions they dreamt up some clueless answers thinking they may have understood the issue when in reality the entire decision was out of ignorance.

Return NXDOMAIN for bad data, even -if- it is an emergency (if it's a massive DDOS they aren't going to do new DNS lookups, it's already cached!)

Don't prevent new tlds just because some idiot used it internally at mega-corp. assign the fucker TODAY and direct they to a web server with the bloody RFCS telling them how stupid they are and to fix their problem, not make it ours.

Re:hacky

[janeuner]

How do you put up a parking page that listens on loopback?

By sitting in a board room without any clue where your money comes from.

Re:hacky

Here's a better solution
Refuse to resolve any of the new gTLDs. Start petitions and stuff get you isps to refuse to resolves them. Get distros to patch their networking code to refuse to resolve them. Make them worthless.

Re:hacky

[dbIII]

Of course all IT teams will have to be DNS competent - which is currently not (always) the case ...

I changed the DNS hosting and upstream service provider for my workplace due to the service provider not having anyone competent with DNS. More than half the incoming email was getting discarded due to a combination of a slow link to the real mail server and them having a policy of setting the secondary mail server to be a thing that was quick to respond and silently discard all incoming mail. Getting 70% less spam sounds good until you find out that you are getting 70% less of everything.
Of course they went broke not long after so I would have had to change anyway.

Re:hacky

[skids]

Good summary. FWIW, People were using e.g. ".site" for local domain
for a long time. It was in the only draft RFC that addressed the issue,
and lacking any approved RFC people tend to follow the drafts. It was
noted on Wikipedia and many forums as to be used for this
purpose and along with some other TLDs had become a de-facto standard.
Then draft-ietf-dnsind-test-tlds-08 came along and removed it. Reserved
domains names continued to disappear from this draft document until they
were nearly all gone by the time RFC2606 was certified.

Then they started accepting and seriously considering applications for .site as a TLD and it looks like they are set to approve it. Boneheads.
So yes, in addition to unqualified names, there will be lots of problems with
software and configuration written when several TLDs were presumed safe.

RFC2606/RFC6761 have proper domains to use for test setups and documentation.
Unless/until they get suddenly ammended, which at this point, I wouldn't want
to wager on.

Re:hacky

[marcosdumay]

Yep, because those DNS servers that refused to reply NXDOMAIN will totally send you that IP code for the domains they don't know.

I mean, now it's a secret code, not some boring documented answer type. Nobody will hijack it.

Re:hacky

[Zero__Kelvin]

"Returning 127.0.53.53 makes a lot of sense if you put up an ad-farm parking page on it to make a bunch of fake money with ad impressions. "

DOH!

Re:hacky

[WaffleMonster]

I'm sorry, I feel the time for amateur hours exploded in the 21th century. Competency was diluted among the many so-called experts answering the huge demand of engineers.

Perhaps I should have chosen different words. I think some distinction is needed between "LameCo, Inc" electing to let fruits of dead labor run the show and competency of those who would be charged with making unnecessary global changes effecting everyone.

Re:hacky

[therealkevinkretz]

... but only if you want to access *.shark on the internet, right? I'm not trying to be pedantic, just don't know if I'm missing something.

Re:hacky

[camperdave]

How do you put up a parking page that listens on loopback?

Bots.

Re:hacky

I know that it considered bad form by many, but I have always used ".invalid" so that way I wouldn't have to worry about it. I use computername.computergroup.invalid and haven't had a problem with it yet. It also lets me know when people have been poking at settings and are more likely to contact the help desk because they usually will mention the "invalid" part.

Re:hacky

You will tell your grandchildren about this post.

Re:hacky

[idontgno]

They certainly will. They'll return the "IP code" (Did you just make that phrase up? How cute) of their own advertising servers, which they absolutely do know.

You've got a rather amazing combination of appalling ignorance and pedestrian snarkiness going there.

Re:hacky

Not going to happen so some networks you just can't reach. So you get what we had here, which is the way they want it. Well, they get it. I don't like it any more than you.

Re:hacky

[skids]

Lucky for you, .invalid is one of the names that remains in the RFC. However, RFC6761 says that DNS software at all levels (including an application, pre-client) is free to fail any queries to this domain, so as far as using it as an internal DNS domain, you have the potential of running into problems with code that enforces such strictures.

Re:hacky

[Antique+Geekmeister]

I'm afraid that I was unclear. Worrying about how this will hide valid "NXDOMAIN" results is pointless, since thoe have already been hijacked by many ISP's DNS proxy servers and instead return the ISP's desired advertising page. They can also be redirected to far, far more dangerous services, sich as Phishing websites or mail servers to accept misaddressed email.

Re:hacky

[jawtheshark]

Yes, only if I want to access *.shark on the internet. That kinda sucks no? Blacking out a whole subsection of the internet because they now suddenly have gTLD that are words which you could freely use before. You're not missing anything. It's just that is someone buys that, I'll have to give up using it locally, or I blackout a part of the Internet. My users (well, okay, in this case only my wife.... but you get the point) won't like that.

These generic TLDs were not a good idea, not now, not never...

Re:hacky

[marcosdumay]

Returning a known address can not improve the situation in any way, at best things stay the same, at worst you had a working DNS server before, but now you don't.

Re:hacky

[Cyberdyne]

Unfortunately, 127.0.53.53 is a perfectly valid IP address already in use globally - try pinging it on most machines for proof. Remember, the loopback address is not just 127.0.0.1 - it's that whole /8 subnet, all the way up to 127.255.255.255. Indeed, two of my own DNS servers are bound to 127.0.0.53 right now (there's another DNS server bound to the public IP address, which forwards certain queries to this one).

This seems like a really, really stupid hack to me. If they are effectively revoking the domain, why not just return NXDOMAIN instead of bad data? Apart from the "people seeing it for the first time will be curious and go and Google 127.0.53.53 to see why", the rationale just doesn't hold up. Apart from anything else, returning that will cause mail servers to attempt delivery to themselves. Yes, it contains the traffic within the host - but NXDOMAIN would stop the traffic having anywhere to go too, and is the correct response. (One clueless hosting company did something very similar - any departing customer's DNS entries were updated to route mail to 127.0.0.1 - with the result mail bounced until the new delegation propagated fully. 127.0.53.53 would have exactly the same effect.)

resolv.conf

[Rosco+P.+Coltrane]

search mydomain.com
nameserver 127.0.0.1

There, problem solved.
No need to say thank you...

Re:resolv.conf

I'm using MSDOS, you insensitive clod!

Re:resolv.conf

[0xdeaddead]

wattcp has been around for ages. Like, seriously, where have you been? http://www.vogons.org/viewtopi...

Re:resolv.conf

[rvw]

wattcp has been around for ages. Like, seriously, where have you been?

http://www.vogons.org/viewtopi...

He clearly needs to reconfigure his extended memory.

Re: resolv.conf

[AvitarX]

Yay, now there's an entire TLD you can't access.
I worked at a small business where the previous admin had read about 1/3 of every sentence about networking I think (the internal networks were 192.1.1.0, 196.1.1.0 and 196.0.0.0 (all /24), eventually it was a problem.
To be fair, it was in '98, and he was self taught.

emergency! emergency! I say

forcibly de-delegate google.com immediately. Its existence is offensive.

emergency response options

In addition the report recommends emergency response options, which will be employed only in situations "where there is a reasonable belief that the DNS namespace collision presents a clear and present danger to human life".

In other words, the DNS will be used for political oppression.

Re:emergency response options

DNS will be used for political oppression.

It must be American-made!

Obsolete

The IP/MAC addressing scheme it hacked to death already. How many protocols are used to get a single packet to its destination now? 50-100 or more? It's unfortunate that a better tiered scheme wasn't chosen to begin with, but with only a dozen or so nodes who knew it would grow to such an extent. If it where designed today, it'd be drastically different in architecture.

Re:Obsolete

You don't know what a protocol is, do you?

Re: Obsolete

Sure I do... Try ARP, TCP, DNS, IP, ETHERNET, 802.xx, MAC, BGP, HTTP (to get the port number).... Randomly tossed out there, it goes on and on and on... Most convert between PHY hardware layer, but still IP has dozens of adressing and routing protocols? Do you know what a protocol is?

Re: Obsolete

Oh my god! Ethernet and MAC are protocols!?!? Holy crap I best relearn the way things work!

Re:Obsolete

[Jesrad]

Or maybe you don't understand this other AC's point ?

For example, combining the addressing into the naming method, instead of externally tying 4-byte of IPv4 adressing with host/domain names with a ad-hoc protocol. See IPv6's capability to have addresses made of letters, and push it a little further ? Then maybe even nest some routing hints into that data. Eck, include some multicasting capability at that point too, if you can. Once you start reconsidering the whole IP addressing and routing, surely there are a few better ways to name and address machines and route data to those addresses, which would make more sense at the current scale and form of the Internet. Might as well question the principle of maintaining a shared namespace in the first place instead of letting nodes make up their own (and sharing these namespaces, or fractions of those namespaces, between each other), too.

Re: Obsolete

[aichpvee]

Boy, boy, stop fighting with yourself.

Re: Obsolete

Ethernet, 802, and MAC are the same thing. So that's a list of nine protocols with three redundancies. The only way you're going to involve more than a hundred protocols to get a single packet to its destination is by introducing a whole lot more ignorant redundancies. I know! Let's say HTTP and HTTp and HTtp and Http and http are all different things, too!

Re:Obsolete

A layered model of networking protocols works just fine, thanks. But if you're interested in redesigning things, the English language is kind of old. It must be obsolete! Combining letters to make words is too much trouble. Surely there must be a better way, such as some kind of series of meaningful grunts. We can call it hipster grunt protocol. Grunt! Grunt! Grunt! Grunt! Grunt!

Re: Obsolete

For some reason I though of my first fight with Tyler.

Re:Obsolete

[DarwinSurvivor]

See IPv6's capability to have addresses made of letters, and push it a little further?

You mean hex? That's just the way you type it, it has NOTHING to do with the actual packets. For instance, slashdot's IP (216.34.181.45) could just as easily be written as "d8.22.b5.2d", or even "d822:b52d".

We just switched from decimal to hexidecimal for IPv6 notation because the addresses are so much longer now (IPv4 is up to 15 characters in decimal, IPv6 would be up to 63 characters if we used decimal (only 39 in quad-character hex).

Re:Obsolete

[Buck+Feta]

(IPv4 is up to 15 characters in decimal, IPv6 would be up to 63 characters if we used decimal (only 39 in quad-character hex).

v4 is 32 bits, v6 is 128 bits (not 15 and 63). v6 is 32 chars in hex, if not dropping zeroes. Otherwise, a good post.

Re:Obsolete

[Buck+Feta]

Never mind,my reading comprehension is not good right now. Too late.

Re:Obsolete

[thogard]

Early ip resolver libraries would sometimes parse octal ip addresses with commas as in your example of /.'s ip address as 330,42,265,55. Many of those would also deal with a 0xd822b52d or sometimes without the 0x. Many systems will let you do something like "ifconfig en0 0xd822b52d/32 alias"

Some of the early proposals to expand the IPv4 address space was to allow use more of the bits from the ports source and destination addresses so you could do things like "ping 8.8.8.888" or "ifconfig en0 8.8.8.8/32/13/2 dstbits 4 srcbits 8"

Re:Obsolete

[Sique]

With the : between groups of four characters, you have to add 7 chars, and 32 becomes 39.

Re:Obsolete

[davidhoude]

Maybe we should start hiding math equations in IPv4 addresses since they use numbers.

Re: Obsolete

[camperdave]

Ethernet, 802, and MAC are three different but related things. IEEE 802 is a family of networking protocols dealing with the data link and physical layers of the ISO standard. Ethernet is a subset of that family, specifically the 802.3 subset. Other subsets include 802.4 (Token ring), 802.11 (Wireless LAN, eg. WiFi), 802.15 (Wireless PAN, eg Bluetooth), and a slew of others. MAC (Media access control) is a sublayer of the data link layer, dealing with converting the bit stream provided by the physical layer into usable data. It deals with addressing and media arbitration. Within Ethernet, it handles collision detection. Within Token ring, it manages the token. Within wireless, MAC handles TDMA, FDMA, CSMD etc.

Re:Obsolete

"For example, combining the addressing into the naming method"

The IP adressing and the naming (DNS) are two different structure for a good reason.
One is physical and the other logical.
Mixing them together defeat the purpose for which they were designed.

Re: Obsolete

[allo]

The best thing: Protocols like QUIC, which should be just above IP and are above UDP.

Re:Obsolete

[DarwinSurvivor]

Wow, that would have definitely fucked with legacy gear!

Re:Obsolete

[thogard]

Oddly enough, it wouldn't. You could use NAT hardware in front of old gear and everything will just keep working. Stuff that gets updated, could just use the new syntax and deal with things correctly. Stuff like core routers and switches wouldn't care. It would be fare less disruptive than trying to install ipv6.

Re:Obsolete

[DarwinSurvivor]

Wouldn't there be issues if 2 machines who's IP's only different in the borrowed port bits were physically distant from each other? I can see the core routers having issues with the same "IP" (the original IP part) being in 2 countries at once. Unless they were going to restrict the IP's that differ by port only to be on the same local network, but then you may as well just use a NAT with forwarded port ranges...

Why bother?

[fuzzyfuzzyfungus]

Surely something as visible, and rife with opportunity for outrageous comedies of error, as DNS namespace collisions can simply be allowed to work itself out, through the time tested, enjoyable(for spectators), and reliable methods of endless risible fuckups followed by stilted non-denials from people who should have known better and vicious mockery from everybody else? Have we lost all sense of tradition? Taste? Humor?

(Perhaps more importantly: wouldn't it be neat if there were some sort of super cool, totally futuristic, security mechanism? One that used a secret number, that the server never told anyone, but still managed to prove that it knew, because number theory, instead of just relying on the URL being right? I bet that I'd have to go, like -25 years into the future to see a system that advanced...)

Re:Why bother?

Heh heh. Reminds me of a former workplace, a department of the federal government. We had a... complex DNS setup (this was years ago) and sometimes things would act up a little. Usually not enough to bother regular users, but writing networked / Web based applications, I'd often notice it first. I'd call downstairs (that group was on the basement level, just like the IT Crowd) and they'd assure that everything was working fine. But in 5 minutes to half an hour, it would suddenly *actually* start working fine. They really were good folks, they were just pathologically unable to admit to anything being wrong.

Re:Why bother?

[bill_mcgonigle]

stilted non-denials from people who should have known better and vicious mockery from everybody else

Oh, you've had to speak with Exchange admins who can't figure out what HELO is too?

Re:Why bother?

[dbIII]

they were just pathologically unable to admit to anything being wrong.

In some places that's the price that has to be paid for continual employment. Of course in the long run it's probably better to get out of such a place.

Re:Why bother?

[dbIII]

Don't remind me, although in my case it was an expensive MS Exchange "consultant".

Re:Why bother?

[fuzzyfuzzyfungus]

HELO is one of the words in the Language of The Unclean. He was probably freaked out enough at the mere implication that there are mailservers that are not Exchange Servers, lurking beyond the LAN, beyond the guiding light of NETBIOS; babbling their blasphemies across the vile chaos of TCP/IP. That you wanted him to take an innocent little Exchange server that knew only goodness and MAPI/RPC, and corrupt it, that's just fucked up. You probably got reported to the cyber police.

Re:Why bother?

I take it helo is a SMTP Command.

Re:Why bother?

[dbIII]

innocent little Exchange server that knew only goodness

He made it so good and generous that he set it up as an open relay.

After that I changed things so the accounts clerks got their nice, shiny and sloooow MS Exchange server but safely hidden behind a *nix box that protected it from the big bad net.

STOP

[WaffleMonster]

The proliferation of TLDs has no positive effect on the Internet community whatsoever short of enriching ICANN and it's seedy network of bottom feeders.

Well ok say it helps scamming phishers and enables organizations to part with even larger sums of cash in any efforts to protect their brands.

Lighting up names with a loopback address like this "127.0.53.53" garbage is about the level of crap we can come to expect from the total idiots at ICANN. If you need to associate an A record pick an address guaranteed to be black holed not one that causes machines to resolve to thyself... extraordinarily moronic...

In my view DNS operators should take responsibility to prevent damage to their customers by not blindly delegating * to root zone operators. Only delegate known TLDs and require manual blessing of all operators before admitting any new TLDs.

Re:STOP

[dosius]

Like 0.0.0.0?

Re:STOP

[Z00L00K]

Or 255.255.255.255 - broadcast to the whole internet - get spammed by replies!

Re:STOP

[davidhoude]

ICANN will probably release the TLD .0 soon.

Re:STOP

[MichaelSmith]

Then TLD . and we will be truly fucked.

Re:STOP

...hammer time.

Re:STOP

[thogard]

I know a few people who have conspired to tell others that the nontraditional domains are like 1-900 phone numbers and when you use them, you will get a bill from your ISP.

Re:STOP

[mysidia]

In my view DNS operators should take responsibility to prevent damage to their customers by not blindly delegating * to root zone operators. Only delegate known TLDs and require manual blessing of all operators before admitting any new TLDs.

I agree.... ICANN was given their chance, and trust, AND they blew it.

Now a technical solution on the part of organizations administering DNS servers is warranted to head off this TLD foolishness.

Re:STOP

[Zero__Kelvin]

255.255.255.255. isn't the address of "the whole internet". It is the network address for your local intranet only. No packets will make it beyond your ISP and in most setups they won't get that far (i.e. with a wireless router, etc.)

Re:STOP

[Uncle+Warthog]

Ooooo, I like this one. Who are these people and do they have any kind of formal organization? I want to join up....

Re: STOP

255.0.0.0

Re: STOP

[Zero__Kelvin]

Nope. That's a class A address. It is the network address for a class A subnet, not the "whole internet".

Those wondering why 53.53

[hcs_$reboot]

53 is usually the port number from which DNS servers answer DN requests (usually UDP).

Re:Those wondering why 53.53

[davidhoude]

What about those of us just wondering Why?

Re:Those wondering why 53.53

[jones_supa]

I figured out that one, but am still confused what's the purpose of that new special address in the first place?

Re:Those wondering why 53.53

[hcs_$reboot]

TFA is confusing. The way I understand it is adding a TLD like '.home' may have some wrongly configured systems resolve something.home from the newly 'home' zone made available from the Internet DNS, instead of a local/intranet resolution. In order to help sysadmins to catch inappropriate Internet resolution of such TLD (in case that FQDN doesn't exist, I guess since not in TFA) is to return the 127.0.53.53 address, a particular loop-back address that allows particular settings to be implemented in order to log/show the user that the intranet domain is currently not available., e.g. for a user connected outside the company (guess 2).

Re:Those wondering why 53.53

[Opportunist]

Money. Next question?

Re:Those wondering why 53.53

[LoRdTAW]

"TFA is confusing"
Glad i'm not the only one, bear with me....

From what I can understand as a non-network-admin is that some private networks have their own suffix like .home and these can be mistakenly resolved for a public TLD since .home is now a valid TLD like .com. So if my home network is lordtaw.home and I have two systems: linux.lordtaw.home and windows.lordtaw.home, my router/DNS server can mistakenly try to resolve those domains to an external IP if it not configured correctly. And the fix if for external "public" DNS servers to return a specific loopback address which would hopefully show up in logs to alert me to the fact that my routers DNS server should know better than to try to publically resolve lordtaw.home over the internet. Correct?

Re:Those wondering why 53.53

[DavidLeeLambert7357]

Actually, the article (and if I understand it correctly, the report) doesn't recommend the "127.0.53.53" solution for ".corp" and ".home". It recommends that those be kept permanently unassigned and unassignable in the global registry, similar to ".test" and ".invalid". The "127.0.53.53" solution is one of the "emergency response options", maybe if some widely-deployed software sends unencrypted security-sensitive logs to "logserver.corp" by default, or if some seemingly-innocuous top-level TLD turns out to contain a similar widely-deployed security-sensitive name after people already start registering names.

Re:Those wondering why 53.53

[marcosdumay]

You know what people will notice even faster than returning localhost? Returning NXDOMAIN. That'll make it obvious for everybody, from the netwrok admin to the end user, that something is wrong. As an added bonus, that'll make completely clear what's wrong, instead of sending people into a useless debuging saga, and hoping they google the value you expect.

Of course, not issuing the new TLDs wouldn't create the problem to start with... But then, somebody alredy answered that "why" up there.

When greed breaks stuff

[trifish]

All the people who warned them that they will cause permanent micro- and macro- disasters all over the world have been ignored. Due to greed. Let them be proud of their achievement.

Re:When greed breaks stuff

[hcs_$reboot]

All the people who warned them that they will cause permanent micro- and macro- disasters

Many political figures have actually a "micro" view of events - i.e. the time difference [ NextElection - now ]. Not enough to accurately consider something as diluted in time as global warming.

Re:When greed breaks stuff

[Opportunist]

Think again: When (not if) the shit hits the fan, who do you think will get the blame? The C-level that fucked up and didn't even understand the problem or the admin who was never informed about it?

Re:When greed breaks stuff

[dbIII]

Neither in large and dysfunctional companies.
The admin that was informed about it and tried to point out the potential problem is the one that gets blamed when the problem manifests.

IPv6 should have been entrenched before TLD prolif

[unixisc]

It was always known that IPv4 was running short, and given that, I blame ICANN for proliferating TLDs before IPv6 got well adapted, entrenched & established.

This is different from the question of whether there should be a gazillion TLDs worldwide (I disagree w/ the idea, but let's allow that for the sake of this discussion). Now, as it is, there are unlimited names and ways that websites can be formed, and to make things worse, TLDs are also mushrooming. So one needs an addressing scheme that could mathematically do the best job @ accommodating it.

The only Layer 3 protocol that I can think of that would achieve this is IPv6. Before that gets universally implemented and established, what was ICANN thinking laying out TLDs nilly willy? Result of that is more pressure on IPv4. Let's face it - IPv4 has hit its limit already. We had that discussion the other day of how it's not run out in North America, but once that happens this year, things will only get uglier: multiple levels of NAT would make it a de facto Layer 4 or above communication. The only way to preserve Layer 3 is IPv6, which seems to have enough for everybody.

Only good thing about this issue - if it forces the acceleration of adaption of IPv6 across the board - from infrastructure to last mile.

Re:IPv6 should have been entrenched before TLD pro

[MichaelSmith]

Having new TLDs beside .com should be better for the internet. Multiple name spaces should facilitate load sharing between DNS servers.

Re:IPv6 should have been entrenched before TLD pro

There have always been plenty of TLDs, they just haven't been used. How's that going to change with new ones?

Re:IPv6 should have been entrenched before TLD pro

[unixisc]

There are already several TLDs - one for each country. Having that, and in addition to that, .com, .net, .org, .gov and .edu was adequate. At any rate, this TLD proliferation shouldn't have been done before IPv6 was ubiquitous.

Ipv4 served, but ipv6 ?

Trapping TLD for Ipv4 would be fine, but what would be the equivalent for Ipv6 ?
Loopback is 127.0.0.0 /8, but there is only one place like ::1

So what trick would ICANN use for IPv6 ?

FMPOV, the proposal is only a trojan to have faster distributed censorship at the DNS level.

If the DNS setting of a corporation is lousy enough to let a request for .corp get out, let them eat their own shit and make the joy of the true .corp sites.
And who ever comes with the idea of private unofficial domain ending with .home, .corp or .mail should be flogged. It was the bad answer to a problem, time is now to pay for such bad work.

Re:IPv6 should have been entrenched before TLD pro

Wut?

ICANN getting evil with TLDs has nothing to do with IPv6 proliferation...

Re:IPv6 should have been entrenched before TLD pro

The parent comment has the same level of expertise I've come to expect from ICANN... too bad I cannot mod it -5 idiotic...

Solution looking for a problem

[dutchwhizzman]

As if people haven't already made up domains and host names that didn't exist then and exist now? As if people hadn't been using public address space that wasn't assigned, but is now? Just because some "privately used" TLDs might get exposed because of sloppy system admins, ICANN shouldn't be running around in circles and cry and shout. Let it happen, it's happened before and it will happen again and again. Stop fighting the symptoms and let it ride out.

Re:Solution looking for a problem

[Opportunist]

I can see you're not responsible for security in a company.

I'm so NOT going to sit on an ejector seat just because some idiot thought it's fun to use some "internal" domain name for his projects without informing IT! And trust me, that shit will happen. And it's not going to be any sysadmins fault but rest assured that the PHB who fucked it up will twist it 'til the admin gets it.

I doubt there are too many around here who are looking forward to that.

127.4.0.4

Why not 127.4.0.4 instead of 127.0.53.54 .. if it's not actually found :)

Re:127.4.0.4

[hcs_$reboot]

...or 127.0.222.173, ie hex 7F00.DEAD.

is 10.0.0.0/8 really needed to be private?

[JavaBear]

Make it 10.0.0.0/12 for private networks, and reclaim the rest for public networks?

Re:is 10.0.0.0/8 really needed to be private?

[characterZer0]

That does not address the issue they are trying to address here.

Also, there are so many people using addresses in 10.0.0.0/8 but not in 10.0.0.0/12 that you would have to give years lead time to let them get that changed. May as well go to IPv6.

Re:is 10.0.0.0/8 really needed to be private?

[squiggleslash]

This isn't the problem. As I understand it (and I've read the article multiple times and it's early in the morning so I may be getting it wrong), the problem is this:

1. ICANN is introducing new .TLDs (eg additions to .com, .net, .org) etc (we've known about this for a while, this isn't news.)
2. Common practice on private networks is to create and use an unused .TLD for the private network, for example ".internal", ".corp", etc. For example, your employer might, right now, be calling your workstation "pc117.nyoffice.intranet"
3. After analyzing global DNS hits, ICANN's researchers found that many/most of the new proposed .TLDs are already, apparently, in use by private entities for their private networks. You might ask how they know? Well, think in terms of a roaming laptop that upon connecting to a Wifi at Starbucks immediately, before the VPN is set up, tries to access "exchange-server.nyoffice.intranet". It makes the DNS lookup, and because the VPN isn't up yet, the DNS lookup goes to the global DNS servers, causing a bell to ring in ICANN's HQ (or something.)
4. ICANN needs to "do something" to alert people with private networks to change their TLDs, or else those people will, unintentionally, find themselves locked out of sites with the new TLD. (Cynical PoV: and this will decrease the value of the .TLDs themselves. Kerching!)

Now ICANN appears to believe that the best solution is to have the .TLDs return this odd 127.0.53.53 IP address instead of "domain not found" for all unknown domains, so that if a technie working for a company affected is roaming with their laptop, and they try to access "exchange-server.nyoffice.intranet" forgetting to put up the VPN, and ".intranet" is a new TLD, and they can't connect because the VPN isn't up, and they decide to check their Windows Event Logs to figure out why, then instead of "domain not found" which would immediately make them think "Oh wait, of course it can't be resolved, it's not a real domain and I'm not on the VPN", they'd see a weird IP address, and think "That's odd, let me Google that, there's obviously a problem with DNS."

(I think they'd have more luck if they made it a pair of real IP addresses, one A, one AAAA, pointing at a website that tells the roaming user the answer that they can report to a sysadmin, rather than forcing a sysadmin to Google something they may never become aware of because they may not roam in the first place, but to be honest, even that sounds like a bad idea, I'd rather IP addresses not be returned for invalid domains to begin with.)

Re:is 10.0.0.0/8 really needed to be private?

[KiloByte]

Having more bits makes it easier to manage your local ranges. When you have multiple locations and a bunch of VPNs between them, more address space means you don't need to squeeze it tightly -- something that always backfires once there's a need for expansion.

Re:is 10.0.0.0/8 really needed to be private?

[JavaBear]

A very good explanation. Thanks.

Re:is 10.0.0.0/8 really needed to be private?

[i.r.id10t]

So... what you are saying is that ICANN/IANA should've done something similar for names that has been done for the various "private" "non-routable" ip address pools (10.x.x.x, 192.168.x.x, etc) have done since The Beginning... there needed to be some TLD that would only work for local networks and queries.

Of course, since that didn't happen all those years ago admins and amatures (and amature admins even) have been using a random mess of things, usually done by trying to ping or get a nslookup for some hopefully imaginary TLD and when it works (or rather, returns a NXDOMAIN error) they assume they can use it locally without repurcussion.

Which means there are tens, hundreds, or maybe thousands (or more!) "fake" TLDs in use out there, some hard coded into applications that are no longer supported, etc. but are still in use. Which means to try and fix it now would be pretty much near impossible.

Re:is 10.0.0.0/8 really needed to be private?

[PPH]

so that if a technie working for a company affected is roaming with their laptop, and they try to access "exchange-server.nyoffice.intranet" forgetting to put up the VPN, and ".intranet" is a new TLD, and they can't connect because the VPN isn't up, and they decide to check their Windows Event Logs to figure out why, then instead of "domain not found" which would immediately make them think "Oh wait, of course it can't be resolved, it's not a real domain and I'm not on the VPN", they'd see a weird IP address, and think "That's odd, let me Google that, there's obviously a problem with DNS."

Which is fine for a techie.

I see millions of support calls when non-techie people can't find the cute cat pictures.

Re:is 10.0.0.0/8 really needed to be private?

Does Ford Motor Company really need 19.0.0.0/8 for just their organization?

(hint, when I worked there every computer in IT has a 19.x address, then they use firewalls and routing to prevent those from being public. In reality they need maybe 50-100 addresses TOPS. Then learn how to use RFC1918.

Re:is 10.0.0.0/8 really needed to be private?

[squiggleslash]

In fairness, DNS is so broken that it's a miracle any changes ever get past the "wishful thinking" stage. I still remember the original news reports that new TLDs were being added to the DNS system... in the late nineties. It took over a decade for anything to actually happen after that original announcement, and they're still trying to make it work.

What's the difference been that and, say, the fact CNAME is virtually useless and nobody uses _SRV? Answer: Money.

Re:is 10.0.0.0/8 really needed to be private?

I've been desperately trying to raise enough money for .local, anyone want to chip in a few thousand?

127.0.53.53.... why not 127.0.42.42?

[Uzull]

>ping answer.to.the.ultimate.question.of.life.the.universe.and.everything
Pinging 127.0.42.42 with 32 bytes of data:
Reply from 127.0.42.42: bytes=32 time=2ms TTL=249
Reply from 127.0.42.42: bytes=32 time1ms TTL=249
Reply from 127.0.42.42: bytes=32 time=1ms TTL=249
Reply from 127.0.42.42: bytes=32 time1ms TTL=249

Ping statistics for 127.0.42.42:
        Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
        Minimum = 0ms, Maximum = eternity, Average = ask Deep Thought

CANN I HAZ

Your loopbakz?

Better yet, no new TLD

The best solution here is to simply stop this TLD madness because it provides no value at all. A new TLD can be created each time the UN recognizes a new country's existence, but for no other reason.

Re:Better yet, no new TLD

The best solution here is to simply stop this TLD madness because it provides no value at all.

Why, it provides plenty of value. Oh, did you mean for people?

Well, it provides good value to ICANN, anyway.

Yay, applied spearfishing!

[Opportunist]

Let's face it, the whole craze around the new TLDs is a huge can of worms that serves no purpose (well, none but to make some people rich) while being a problem waiting to explode.

Take Mike, the manager. Mike is a good manager (yes, they exist. No, really!) and he's pretty competent. Well, not in IT, of course, but in his field. In IT, he has to rely on his IT department (and, as I said he is a good manager, he actually does). Mike takes his laptop home, not to play but to actually do some meaningful work. So he creates a rather sensitive document and decides to save it. Now, in our current world, the internal name "documents.thecompanyheworksfor" won't resolve and the system falls back onto his documents folder. Which is pretty neat, because that's what gets sync'd automatically the next time Mike drops his laptop into the docking station at work. No fuss for him and also none for his IT department.

In the new and improved world of TLDs at will, that server could well exist. And it does not necessarily belong to the company Mike works for.

And that's just the tip of the ice berg, how about launching some program from a remote location? Undocked, it won't launch, and if it's just a script that provides network information, who cares? In our new world, it may well launch some malware.

Now, of course one may say that IT should know that and IT should prevent it by ensuring that these things either resolve correctly or not at all. Fair enough. Now, who here can say that he knows of EVERY domain entry in his company's environment (provided you're not working for some mom'n'pop shop)? Who would put his job on the line for saying that there was never some self absorbed PHB who insisted in having the necessary rights to create what domains he thinks was funny without informing the IT department?

TLDs are going to be a security nightmare. But hey, who am I to complain, it's job security for decades!

Re:Yay, applied spearfishing!

[DarkOx]

Well that is pretty clearly a failure of the application documents.thecompanyheworksfor should be authenticated by the application in some fashion. An SSL certificate or similar. Otherwise it was always vulnerable to anyone who could manipulate DNS.

Whats more likely to happen is Mike opens up his laptop at home. The sync program starts up, and attempts a to resolve documents.thecompanyheworksfor, yesterday when it got back NXDOIN it immediately went back to sleep, got out of the way etc, concluding Mike was not on the corporate network. Today it gets back an address and hangs while it tries again and again to see if this server at 127.0.53.53 is going to respond.

Re:Yay, applied spearfishing!

>Well that is pretty clearly a failure of the application documents.thecompanyheworksfor should be authenticated by the application in some fashion. An SSL certificate or similar. Otherwise it was always vulnerable to anyone who could manipulate DNS.

Hehehehe. That's funny. I don;t think I've ever seen little internal pages/servers have their certs added to the whitelists correctly. It's not impossible to do, but no one does it and I always have to click past the scary warnings in my browser.

Re:Yay, applied spearfishing!

Is this a theoretical word-processor that doesn't exist? What are you guys running?

I'd expect "save as" -> "documents.thecompanyheworksfor" would make say a file on a "file-system" (local or remote) called "documents.thecompanyheworksfor.txt".

If he put the document on a website it would have a URL like: "http://attack.me:12345/thecompanyheworksfor/documents.thecompanyheworksfor.txt"

Not the most useful name, but I still see no room for pollution between the DNS portion of the URL: "attack.me" and the filename: "documents.thecompanyheworksfor.txt".

Is there some eMyWebIsWacked 5.3 movement I don't know about where these two very separate concepts (file name vs system name) got polluted with each other?

Re:IPv6 should have been entrenched before TLD pro

[mysidia]

Having new TLDs beside .com should be better for the internet. Multiple name spaces should facilitate load sharing between DNS servers.

No it won't. Everyone still needs a .COM. Alternate TLDs are a novelty market.

HOST FILES

This story is vaguely DNS related therefore HOST FILES.

cc: apk

Re:HOST FILES

why dont u disproof apks mini fine points and logics u cowward trowel. apk buttsechezes ur mum. did apk defeateds u wit logics and sciences bcuz ur a ghey homo. use the host file.

~not apk

p.s. why dont u disproof apks mini fine points and logics u cowward trowel. apk buttsechezes ur mum. did apk defeateds u wit logics and sciences bcuz ur a ghey homo. use the host file.

Re: HOST FILES

Apk is Jeremiah Cornelius, and he is a fucking idiot.

Re: HOST FILES

why dont u disproof apks mini fine points and logics u cowward trowel. apk buttsechezes ur mum. did apk defeateds u wit logics and sciences bcuz ur a ghey homo. use the host file.

~still not apk

Re:HOST FILES

[unixisc]

Yeah, ICANN should use /etc/host in their solutions to more TLDs. Maybe make virtual hosts out of all their new TLDs

Re:HOST FILES

http://it.slashdot.org/comments.pl?sid=4854243&cid=46395403

Re: HOST FILES

http://it.slashdot.org/comments.pl?sid=4854243&cid=46395403

Re:HOST FILES

Hahahaha http://it.slashdot.org/comments.pl?sid=4854243&cid=46395403

Re:IPv6 should have been entrenched before TLD pro

[KiloByte]

this TLD proliferation shouldn't have been done

Full stop. Your conditional clause is unnecessary and wrong here. As much as we need IPv6, the TLD diarrhoea should never have been allowed to happen.

Re:IPv6 should have been entrenched before TLD pro

[jon3k]

New TLDs shouldnt necessarily drive any real increase in IP address space usage. We've had vhosts for a long time.

and the winner is...

[fulldecent]

The entity that benefits most from bastardization of ICANN is... Google.

You can always find Google and Google can always find where you want to go. And now typing addresses into the address bar is about to get more painful.

I'm sorry

[tom229]

But if this happens on a corporate network, ever, your IT team is incompetent and needs to be replaced.

Re:I'm sorry

[ratboy666]

Um... this will happen all the time!

You access some resources on your corporate network from your laptop. To do this, you have configured an application to talk to the server. That server happens to have the name whizzy.corp.

So far, no biggy. IF you launch the application and you are not at work, whizzy.corp doesn't resolve. For example, at your local starbucks, BEFORE you open your VLAN.

What happens when .corp is assigned? Suddenly whizzy.corp is now a machine on he internet. Say the application is your corporate IM system.

(I would imagine that names like exchange.corp would be very hot items).

For this reason, the recommendation is that .corp, .home and .mail be reserved.

I would like all the RFC 6762 names to be reserved (.intranet, .private, .lan, .internal as well).

Of course, startup applications on laptops COULD be locked down, along with a strict no-byod policy, thereby eliminating these issues... maybe. If your company supports a VLAN, they may well arise anyway. This CAN be made to work, but I am (fairly sure) that most users wouldn't like it.

Re:IPv6 should have been entrenched before TLD pro

Everyone still needs a .COM.

Why? Typing in domain names is as obsolete as AOL keywords.

That's amusing

[dbIII]

Now the MSCE folks are getting annoyed that people even more remote from certified professional engineers are taking up the label. Face it - help desk monkeys that couldn't finish high school and did no self study, training or experience get that title the minute they pick up a script to read over the phone.

Internal TLD?

[PPH]

Back when I used to work for Boeing, our internal TLD was .com. Anything looking for a .boeing .com domain would be resolved via our internal DNS system. All other .com (and any other TLDs) were forwarded to the public DNS services through a firewall.

Were someone to take their laptop out of the company, .boeing.com requests would be resolved via their external DNS service. And they could deal with erroneous requests for internal services in a number of ways. Deny then, or divert them to some sort of error handling service (web page: "Aren't you supposed to be at work right now?") Hand them over to some sort of VPN login service or other firewall portal. Or obfuscate the response, keeping people outside from probing around and guessing at the internal company network structure.

It all worked and it handled everything secure within the companies systems.

Stops the Verizon DNS redirector?

I wonder if this 127.0.53.53 would preempt the ISP's DNS redirector (gives end-user customized web pages for unknown or unresolvable TLD).

If so, then I'm all for it.

Here comes the 127.0.53.53:53 trojan!

I can see it now - some jackass will create a trojan that lives on 127.0.53.53:53 and burn a lot cycles and machines!

Think of the resources used by this "fix"

For all of the small devices out there - they will now need some sort of hack to listen to localhost...just to reply to the DNS request. How big will this stupid daemon/program have to be? Then will come the "hacks" to fix the case where the machine has in its own cache the address...but the DNS server does not.

What happens to networking? Do you now have to subnet out 127.0.0.0/8 to something different? I can already see the case where some "large group" wants a "common" hack...a 127.0.53.53:53 server hosted off one box serving a bunch of others...and 127.0.0.0 will forever be destroyed!

browsers part of the problem

[CKW]

I have a big enough problem with my stupid browser deciding that when I type "blahblah" into the host bar that if it can't reach "http://blahblah:80/" that it should automatically default to "http://blahblah.com/" or google "blahblah" ... yeah, that's what I need, the internal hostnames leaked to google, thanks idiot browser developer.

Okay, it's good for grandma and everyone else using browsers. There should be a clear UI element that appears when this happens to allow me to disable it.

Re:IPv6 should have been entrenched before TLD pro

[unixisc]

Isn't that more on Unix-like web servers? I doubt that any IIS based servers implement virtual hosts, or do they?

.com .org and .net are enough

What are these 1400 new top level for? sounds like a real bad idea.

DO NOT RETURN IPv4 addresses

[unixisc]

Chances are that they may still have antiquated routers/networks hard coded to 19.0.0.0/8, and would have to spend a considerable amount to replace. In the meantime, having that entire Class A means that internally, within the organization, they can assign them to their various locations worldwide, w/o batting an eyelid or bothering ARIN.

Like I've argued, nobody should ever return any IPv4 addresses: even if they've switched completely to IPv6, they would likely still need dual stacked support for communicating w/ those that don't have IPv6 support, and it's silly to go over to IPv4+NAT if they already have private IPv4 addresses. Also, even w/ NAT, one can't reduce their public IP addresses to 1. Since the most common NAT used is Port Address Translation, or PAT (overloading), where multiple public IP addresses help alleviate network traffic, that too would not relieve much pressure on IPv4.

Bottom line - just focus on adding IPv6 support and continual improvement in its services & performance, and go fully dual stacked. Over time, the need for IPv4 should then go away

By being an ISP

[tepples]

By being an ISP and insisting that new residential Internet customers configure their modem through an EXE. This EXE ends up installing "ComWarner Connection Agent" that listens on localhost:80 and serves up 302 redirections to whatever shite-finder service paid ComWarner for ads.

add it to your host file ;-)

Just do a loopback 127.0.0.1 local website ;p Bam done! Or even better 0.0.0.0

Isnt it about time for reserved internal lan TLDs?

[intangible]

I wish ICANN would finally give us some real "reserved" internal TLDs, but we do have a few we can work with:
RFC 2606 https://tools.ietf.org/html/rf...
      test, example, invalid, localhost
"gTLD Applicant Guidebook", Section 2.2.1.2.1 "Reserved Names" http://newgtlds.icann.org/en/a...
      afrinic, iana-servers, nro, alac, icann,
      rfc-editor, apnic, iesg, ripe, arin, ietf,
      root-servers, aso, internic, rssac, ccnso,
      invalid, ssac, example*, irtf, test*, gac,
      istf, tld, gnso, lacnic, whois, gtld-servers,
      local, www, iab, localhost, iana, nic

Most of those aren't really suitable for internal network names except perhaps "tld" and "local" but we can't use "local" because of multicast dns... but that RFC does reference some other names we're PROBABLY safe to use:
RFC 6762 http://tools.ietf.org/html/rfc...
      intranet, internal, private, corp, home, lan

It'd be great if we could just get the alternate example domains from RFC 6762 explicitly reserved.

Re:IPv6 should have been entrenched before TLD pro

[DavidRawling]

Sure they do - all the major web servers and hosting platforms can use and define vhosts (it's just that the mechanism for creating them differs on each platform). IIS for example, if you create a new site, using "All IP Addresses" port 80, will require that you designate a host header so that the HTTP engine can route the request to the right Web Site (and corresponding content). All IP Addresses port 80 with an empty Host Header acts as a "catch-all" and is assigned to the Default Web Site. Which you generally disable, and create your own config for, if you know what you're doing. Apache, on the other hand, configures those vhosts in text files (nowadays under sites-enabled, as I recall). But the functionality is all there on pretty much all major platforms.

Now if you're arguing that the administrators of IIS servers are exponentially less likely to have a clue about host headers, when compared to their Apache/nginx counterparts - well then from my experience you're absolutely right (my history is MS consulting, and the number of IIS admins who want 20 IP addresses for 20 sites because they don't get how to do host headers, DNS resolution etc, cannot be counted - the reverse can be counted on both hands over 20 years of doing this stuff).

Re:IPv6 should have been entrenched before TLD pro

[allo]

people will use .com and the Countrycodes anyway. The rest will just be reserved or redirections.

A and/or not.A

[CmdrTamale]

...The IP addressing and the naming (DNS) are two different structure.... One is physical and the other logical....

For ever smaller values of logical.

Re:IPv6 should have been entrenched before TLD pro

[jon3k]

Yes, you would use host headers in IIS.