CyberEye

Blog archive
Broken window showing poster of generic top level domain names

New domain names bound for collisions: 'Things are going to break'

The Internet is on the brink of the largest expansion of generic Top Level Domains in its history, with as many as 1,000 new strings expected to be added over the next year, more than quadrupling the current gTLD space.

Some observers, including the operator of two of the Internet’s root zone servers, worry that this expansion of public domains could result in naming collisions with private internal network domains, disrupting those networks.

“We know things are going to break,” said Danny McPherson, chief security officer of Verisign, the company that runs the A and J root servers. Networks in the .gov domain could be affected, as well as those supporting emergency services such as public safety answering points for the nation’s 911 system. “It makes us uneasy,” McPherson said.

At risk is any enterprise with a network naming scheme using domain names for non-public resources that are the same as new domain name strings now being considered for approval on the Internet. There are 1,833 such names now being considered by the Internet Corporation for Assigned Names and Numbers, and the approved new gTLDs could begin being delegated in the root system later this year.

The resulting collisions could cause some networks to become about as useless as the Washington Beltway on Friday afternoon.

The solution is to change those internal domain names to avoid naming collisions. But this can be a complex job for a large enterprise, and McPherson worries that many administrators are not aware of the issue. He believes the 12 root zone operators have a responsibility to monitor the global systems to identify potential collision situations and warn network operators in advance. But there is no zone-wide system to provide that visibility.

Top Level Domains are the suffixes on URLs that appear to the right of the final dot in the address, such as .gov and .com. There now are 317 of these, including country names such as .us and .uk. Name servers in the Domain Name System use authoritative lists maintained in the 13 root servers to associate URLs with an IP address to direct queries. The potential problem with the domain expansion is that requests for a network’s internal domains are routinely checked against the global DNS database as well as the local enterprise name database. If the domain name is not in the global database, it looks for it in the local database, and the query is directed to the proper server within the network.

But if that internal name is added to the Internet’s collection of domains, the internal request will be sent out to the Internet and the user will not be able to access resources on his own network.

How likely is this to happen? Take .home for instance. This is a default internal domain name used on millions of pieces of home networking equipment. McPherson said .home is one of the top five queries received by Verisign’s root servers. It also is one of the most coveted new gTLDs being considered, with 11 applicants. Other commonly used internal domain names being considered for the Internet include .inc, .corp, .cloud and .mail.

McPherson also is concerned that less commonly used names such as .med that might be used by hospitals and clinics for connecting with health care equipment could suddenly become unavailable internally if .med goes onto the Internet.

Ideally, if you are managing a network you would be warned by the root zone operators when they notice local domain queries from your network that would be likely to result in collisions. With no system in place for monitoring for this, however, the responsibility falls on network administrators to know their naming schemes, pay attention to ICANN’s new gTLD program,  and make sure they are not using new Internet domains internally.

Posted by William Jackson on Jul 12, 2013 at 12:38 PM


Reader Comments

Mon, Jul 15, 2013 Sorgfelt

I use internal domain names, but these are defined in a DNS for the local network that is used as the primary and only DNS in our network. If the domain name can be found in the local DNS, it uses it, otherwise the local DNS forwards the request to a global DNS. So, the only bad thing that would happen is that a new global domain name that matches our local domain name would be unavailable. In any case, just as 192.168.0.0 and 10.0.0.0 are reserved, so should there be reserved top level domain names that internal networks could use. ".home" would be one perfect case.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

resources

HTML - No Current Item Deck
  • Transforming Constituent Services with Business Process Management
  • Improving Performance in Hybrid Clouds
  • Data Center Consolidation & Energy Efficiency in Federal Facilities