- From: Adam M. Costello BOGUS address, see signature <BOGUS@BOGUS.nicemice.net>
- Date: Sat, 28 Aug 2004 04:17:44 +0000
- To: uri@w3.org
I wrote: > This implies that the meaning of http://www.w3.org/ might change > depending on where it is interpreted, unless the HTTP spec requires the > use of domain names, which it currently does not (because it depends on > RFC-2396 for that requirement). "Roy T. Fielding" <fielding@gbiv.com> replied: > Which doesn't require globally-scoped FQDNs either. True, but it does recommend them, and does provide a way to guarantee that they are globally-scoped FQDNs: The rightmost domain label of a fully qualified domain name will never start with a digit, thus syntactically distinguishing domain names from IPv4 addresses, and may be followed by a single "." if it is necessary to distinguish between the complete domain name and any local domain. To actually be "Uniform" as a resource locator, a URL hostname should be a fully qualified domain name. In practice, however, the host component may be a local domain literal > > Does the HTTP spec need to be updated to explicitly require domain > > names? Or is it intended to relax the semantics of http URIs and > > allow http://www.w3.org/ to mean different things in different > > places? > > www.w3.org already means different things in different places. Then I'll ask the same question for "www.w3.org.". The combination of RFC-2616 and RFC-2396 guarantees that http://www.w3.org./ has one globally unique meaning, but the combination of RFC-2616 and rfc2396bis allows it to mean different things in different places (because in some places www.w3.org. might not be a domain name at all, according to rfc2396bis). Is that relaxation intended, or does the HTTP spec need to be updated to require domain names? > All you need to demonstrate that fact is to create a subdomain prefix > within your domain, > e.g., > > www.w3.org.example.com > > place an HTTP server there and you will see that all of the requests > to the above "http://www.w3.org/" from within the example.com network > will go to the local domain instead. This was true years ago, but RFC-1535 identified this problem and suggested a countermeasure back in 1993, and I think most resolvers today adhere to those suggestions. I think today resolvers will look up www.w3.org before trying www.w3.org.example.com, and any resolver that tried them in the other order would be considered to have a security bug. AMC http://www.nicemice.net/amc/
Received on Saturday, 28 August 2004 04:17:46 UTC