ICANN released the Dotless Domain Name Security and Stability Study Report (pdf) tonight which was prepared by Carve Systems.
Dotless Domains are a big topic of conversation ever since Google announced it wanted to operate the new gTLD .search as a “Dotless Domain”
The bottom line of the report is that technically Dotless domains are possible, but there are some issues which require additional study. As for User confusion “it seems inappropriate to simply dismiss the option to foster awareness about dotless names. Users could be informed through a variety of means, such as direct software interaction, and traditional marketing efforts. The exact recommendations would depend heavily on the results of the “user confusion” survey, focusing on Internet users.”
Here are the conclusions:
After completing the study on the security and stability impact of dotless domain names, Carve has compiled several recommendations.
During the study, it became clear that most of the application classes studied currently support dotless domain names.
Software that would use dotless names over a private network will also support them over a public network.
Based on the three concerns highlighted in the Executive Summary, namespace collision, user confusion, and technology confusion, Carve has the following high-level recommendations.
Namespace Collision Recommendations:
In the event that dotless domain names are allowed, Carve suggests that potentially dangerous strings be identified and reserved for use on internal networks only.
The criteria for classifying a dotless string as “dangerous” would be how widely the string is used to resolve internal resources on private networks.
The more a dotless TLD is used across individual private networks, the greater the potential for negative impact in the event the name becomes publicly accessible on the Internet.
One method for generating a list of dangerous strings is to identify DNS requests for dotless names that have leaked to the Internet. Root server data analysis could be used to create a list of leaked dotless names,andthislistcanbefurtheranalyzedbasedonthefrequencythatnamesappear.
The leaking frequency should be taken into consideration during the gTLD approval process to make judgments on a string’s potential impact on private networks. A high frequency would potentially lead to a string being added to a restricted list or carefully controlled via contractual obligations between ICANN and the applicant.
The DNS Operations Analysis and Research Center posted a blog article (https://www.dns- oarc.net/node/314) that contained data describing “single label” strings that leaked to public DNS servers.
A more structured analysis of this data could help to determine what strings should be reserved and/or carry additional risk when used in a dotless fashion.…
