Hello,
At 11:59 10-07-2013, Russ Housley wrote:
The IAB has made a statement on dotless domains. You can find this
statement here:
http://www.iab.org/documents/correspondence-reports-documents/2013-2/iab-statement-dotless-domains-considered-harmful/
There was a report from the ICANN the Security and Stability Advisory
Committee in February 2012 on "Dotless domains". An IAB statement
about "Dotless Domains Considered Harmful" is issued over a year
after that. I am surprised that a draft of the statement was not
brought to the attention of the IETF participants who have been
discussing about the use of dotless domains on the SMTP mailing
list. To be fair, I should have read the minutes and enquired about
the matter instead of commenting about the matter after the fact.
ICANN announced in May 2013 that "it has commissioned a study on the
potential risks related to dotless domain names based on SAC 053
report". The announcement mentioned that in June 2012 "the ICANN
Board directed staff to consult with the relevant communities
regarding implementation of the recommendations in SAC 053". One of
the recommendations in SAC0533 is that:
"As a result, the SSAC also recommends that the use of DNS
resource records such
as A, AAAA, and MX in the apex of a Top-Level Domain (TLD) be contractually
prohibited where appropriate and strongly discouraged in all cases."
I don't know whether the ICANN Board considers the IETF as a relevant
community. I read several IETF Fluff Area mailing lists. I did not
see any message about a consultation regarding that recommendation.
The IAB statement mentioned that:
"The IAB believes that SSAC report SAC053 [SAC053] is a reasonable summary
of the technical problems that arise from the implementation of dotless
domains."
I would describe the report as an adequate summary of the technical
problems for a non-technical audience.
RFC 5321 was published in October 2008. SAC053 references RFC 2821
on Page 7. It is odd that the members of the ICANN Security and
Stability Advisory Committee were not aware that RFC 2821 was then
considered as obsolete for over three years.
From the IAB statement:
"SAC053 does not, however, discuss the standards compliance aspect."
And from SAC053:
"Thus standard-compliant mail servers would reject emails to addresses such
as user@brand."
The report mentions a standards compliance aspect.
From the IAB statement:
"The use of SHOULD for [RFC 1123 section 6.1.4.3] (b) is a recommendation
against doing DNS queries for dotless domains. RFC 2119 explains
the meaning
of SHOULD as follows:"
and the statement quotes text from RFC 2119. The meaning of the
"SHOULD" in RFC 1123 is explained in RFC 1123. RFC 1123 was
published in October 1989. RFC 2119 was published in March 1997. I
suspect that the IAB may have used time-travel technology for the
"discussion of standards conformance".
The IAB issued a statement about "The interpretation of rules in the
ICANN gTLD Applicant Guidebook" in February 2012. That report also
refers to "one of the specific TLD requirements set by RFC 1123". It
seems to me that the conversations with subject matter specialists
were mainly about adding a "string" to the Root Zone and that the
protocol-related issues might not have been conveyed clearly given
that the IAB issued the statement about "dotless domains" in July 2013.
The IAB previously mentioned that it maintains its chartered
responsibility about the RFC Series. The IAB statement refers to
RFCs from the www.faqs.org website. It might be better to reference
the rfc-editor.org links or else there may be a perception that the
IAB is not aware of the most stable reference available.
Regards,
S. Moonesamy