Categories
Uncategorized

An update on so-called dotless domains on the Internet

A couple of months ago I wrote here about the challenges with so-called “dotless” domains (e.g. http://microsoft instead of the common http://www.microsoft.com). Such shortcuts may seem harmless at first glance, but they raise many more issues than might be solved when it comes to completing and validating an Internet URL or email address.

As you may recall, Microsoft’s position is that such shortened domains (as noted in our comment here) are not a good idea, as called out in the report from ICANN’s own Security and Stability Advisory Committee. (You can view the complete report here.) We know that many others also support the view that dotless domains would not be universally reachable, along with the serious security vulnerabilities enabled. Dotless domains would be confusing and customers might not know what to expect when they entered in such a shortened name.

In addition, the surface area to address all the different software components for stability and security concerns related to using such dotless names is tough. Not just a problem for consumers, many businesses and organizations (from small business to complex and worldwide enterprises) have current and legacy software and services that follow the tradition of using dotless names exclusive in the intranet space.

For instance, here at Microsoft, if I type in a dotless domian (e.g. “http://search“) into the address bar at work, I’ll go to my internal intranet search web page. Many companies function the same way, and you can imagine that any number of terms or strings used on a number of many different intranet networks could have serious implications and repercussions related… particularly if companies had to do additional work to parse and allocate these terms from a set of new top level domains.

I saw an example of what confusion could look like over lunch, as I attempted to register on a web site. In this case, the site failed to recognize an email address with only dotless domain as valid…

image

Now, multiply that by the number of websites where you enter in your email or web address and you can imagine the confusion, in addition to the work involved if every web site had to support new (and growing) dotless domains. (Certainly one of the new services that will opened up will include selling/ leasing new second level domains or Internet email addresses on the new crop of gTLDs.)

To address some of the confusion we’ve seen in the past (where companies have deployed single label domains), Microsoft and many others in the industry have provided guidance for developers, service providers and enterprises to use unambiguous Fully Qualified Domain Names. These FQDNs are sometimes referred to an absolute domain name, which specify locations in the tree hierarchy of the DNS and ensure that people get where they are expecting when they type in an address on the Internet URL and avoid any confusion.

Last week, the Internet Architecture Board (IAB) published a public statement calling attention again to the concerns on using dotless domains in the root zone, noting the relevant standards published by the IETF RFCs. In the statement, the IAB also cites the ICANN SSAC’s report SAC053 as “a reasonable summary of the technical problems that arise from the implementation of dotless domains.” The Register offers their own take in an article posted today.

I look forward to ICANN’s latest study to examine the potential risks related to dotless domain names (based on ICANN’s SSAC 053 report). Once released, Microsoft is interested to provide additional feedback and comments. The good folks at ICANN are holding their latest meeting in Durban this week, and I can imagine there will be some discussion around this (and many other pressing topics).

Also available via https://aka.ms/dotless2