The basis of the RFC1535 was related to the last part of my answer in
An Absolute Rooted FQDN must end in a trailing ".", this was to
indicate you had reached the top level of domain to search. As you
remember from the previous question, a FQDN in folder structure looks
The Absolute Rooted FQDN would look like this:
Answers.Google.com. (note the trailing ".", it is not an error. It
indicated there is no domain above "COM" that needs to be searched.
RFC1535 addresses a potential for errors in attempting to resolve
domain names when using certain versions of BSD BIND software which
was used to resolve FQDNs to IP addresses.
So for arguments sake, if you failed to add a trailing "." on the end
of a domain you could possibly be mis-directed to another domain.
So if you entered Answers.Google.com (note there is no trailing ".")
the BIND resolver client would then continue searching all top level
domains until it finds a match. So Answers.Google.com would be
searched for in:
The second part of the RFC is a security risk based on this issue. If
someone were to enter a DNS entry for ?Harvard.edu.com? on their local
server, then when anyone on a ?.com? site searching would be
redirected to "Harvard.edu.com" instead of "Harvard.edu". To use a
scary example, if someone wanted to maliciously use this available
hole in security, they could add the DNS entry for a ".net" bank
domain on a ".com" server, then everyone searching for that bank's
domain would wind up on their fake domain because "ExampleBank.net"
(without a trailing ".") would resolve on ?.com? servers to
"ExampleBank.net.com". Now they would just need to setup a fake login
page for that bank and they could collect username and passwords all
This would even be further complicated if people registered TLD names
as domains, ?EDU.com?, ?NET.com? etc.
The suggested solution basically limits the way BIND clients would
search for the actual domain to help avoid these situations. The end
result was that this caused the necessary changes and the trailing ?.?
is no longer a requirement for a FQDN.
Rules of domain naming were changed to avoid the edu.com or mil.gov
issues, and currently there have been no new issues surfacing in this
debate since about 1995 (and most of those were admins who had poorly
formatted their own DNS servers.
It was obviously good to point out a potential issue which would have
quickly become a HUGE problem had it not been corrected.
It is no longer an issue today based on the numerous changes that were
made since 1993 when the RFC was written.
Edu.com addresses are no longer an issue as DNS resolution has been
Of course if you have any need for further information please use the
request clarification button before rating this question.
Thanks for the interesting questions; I had to really scrape the back
of my brain for the details of these situations.
[-- Mother911-ga --]