ICANN Releases Report On Dotless Domains Security Risks

ICANN new generic Top Level Domains logoICANN released the Dotless Domain Name Security and Stability Study Report last week that found a number of security risks should they go ahead as part of the new gTLD programme. ICANN describes dotless domains as those that consist of a single label (e.g., http://example, or mail@example). Dotless names would require the inclusion of, for example, an A, AAAA, or MX, record in the apex of a TLD zone in the DNS (i.e., the record relates to the TLD-string itself).

There are three categories of concern Carve, the author of the report, identified and that should be considered when analysing the impact of dotless names on the stability and security of the internet.

The first is namespace collision which occurs when a dotless name used on a private network becomes a resolvable name on the public internet. According to the study, it was confirmed that if systems are configured to use dotless domain names to locate intranet hosts, and these systems were to mistakenly use a public DNS server for name resolution, any dotless name collisions would cause the system to attempt to interact with the internet-facing host. The study also suggests that users who are accustomed to accessing intranet resources via dotless names may unknowingly access untrusted Internet resources that share the same dotless names.

The second concern found by the study was user confusion, which highlights the fact that dotless domain names have been primarily used on private networks for decades. This paradigm has created an expectation of trust, held by users and technology implementers, that dotless domain names always point to internal hosts, as opposed to internet hosts.

The third concern the study found was technology confusion, where some software has been designed to make trust decisions based on the assumption that dotless names always refer to trusted hosts on private networks. Technology confusion is demonstrated, historically, by the automatic granting of dotless certificates from Certification Authorities (CAs), the “Intranet Zone” setting in Internet Explorer & Microsoft Windows, and the common use of dotless names to reference internal resources such as file shares.

The study suggests that this inherent trust in dotless names, by users and software, may lead to confusion when handling new Internet facing dotless domains. This confusion can result in unexpected behaviour and a misappropriation of trust, ultimately degrading the stability and security of the internet.

As a result, Carve recommended that follow up studies be conducted. One of these studies Carve suggests should be designed and executed to identify specific high-risk names due to the namespace collision introduced by dotless domain names on the internet. A second study should be performed to specifically quantify the level of human confusion created by the use of dotless names on the Internet.

In the event that applicants are permitted to operate gTLDs in a dotless fashion, Carve recommended in their report that outreach be performed to educate the software development community about the risks associated with trusting dotless names. This document, along with additional case studies and specific software engineering recommendations, can help software developers adapt their applications to a potentially different Internet namespace.

The full report by Carve is available for download from the ICANN website at www.icann.org/en/groups/ssac/documents/dotless-domain-study-29jul13-en.pdf.