> From: Richard M. Smith [mailto:rms@computerbytesman.com] > Sent: Monday, October 13, 2003 5:18 PM > To: BUGTRAQ@SECURITYFOCUS. COM > Subject: What software breaks because of this DNS feature? > > > Hi, > > According to RFC1034, "cnn.com" and "cnn.com." should be the > same domain names. However, it doesn't appear that programmers always > understand that trailing dots can be added to domain names. IIS often fails to interpret a trailing dot correctly: http://www.microsoft.com/ http://www.microsoft.com./ I used to routinely put a trailing dot on FQDNs when I typed in URLs, since that should in theory skip extra resolver queries using my configured domain searchlist. I had to give up the practice years ago because so many sites fail with trailing-dot FQDNs. However: RFC 2616 (HTTP/1.1) requires that the Host header be taken literally from the request URL, and cites RFC 1738 (Uniform Resource Locators) for URL format. RFC 1738 (3.1) cites RFC 1034 (3.5) and RFC 1123 (2.1) for FQDN format. As I read the grammar given by RFC 1034 (Domain Names) in 3.5, it does *not* permit a trailing dot: <domain> ::= <subdomain> | " " <subdomain> ::= <label> | <subdomain> "." <label> <label> ::= <letter> [ [ <ldh-str> ] <let-dig> ] (A "." must be followed by a <label>, and a <label> cannot be empty.) RFC 1034 (3.5) does not appear to have the force of a requirement, and other standards could conceivably take precedence, but this does look like an argument for the defense. What in RFC 1034 do you believe requires handling a trailing dot? RFC 1123 (Host Requirements) defers to RFC 952 (HOSTS.TXT) for host name syntax, with the exception that the first character is now allowed to be a digit. RFC 952 (ASSUMPTIONS 1) states: "The last character must not be a minus sign or period". Given all that, I think HTTP servers are not technically broken if they fail to interpret a trailing-dot FQDN as equivalent to a no-trailing-dot FQDN. I don't know if any of the DNS standards require ignoring the trailing dot in searches, but that's a side issue for other programs that process FQDNs for other purposes, such as HTTP "virtual host" processing. I'd like to believe that support for trailing-dot FQDNs is required, but I don't think that's the case. -- Michael Wojcik Principal Software Systems Developer, Micro Focus
