A number of companies have experienced errors on their networks due to collisions with a newly introduced gTLD.
The initial outcry from victims can be characterized as a storm of profanity, which it could be argued is a good thing for security but not great for ICANN’s reputation.
The collisions, which I believe are the first to be publicly and widely reported, are due to Google’s new gTLD .prod, which was delegated September 1.
Google intends to use the TLD as a shorthand for “product”, but it seems some companies use it internally to mean “production”, meaning production servers rather than testing or development servers.
Issues started being reported on online fora on September 3, with Google unfairly bearing the brunt of the initial blame. Here are a few of the earliest examples from Twitter:
Hey Google, fuck you for making .prod a valid TLD, what the fuck is wrong with you
— eesperan (@eesperan) September 3, 2014
anyone else having fun name resolution issues because of the new .prod tld google just put online? http://t.co/jq104uAym0
— Chris Johnson (@point9repeating) September 3, 2014
— Allan Parsons (@allanparsons) September 3, 2014
— jeremy avnet (@brainsik) September 3, 2014
A day later, Reddit user “cunttard”, under a post entitled “Fuck Google”, wrote:
Google recently activated prod. TLD.
They also decided to wildcard DNS all entries to 127.0.53.53 to resolve name collisions for internal organisations. All because they wanted .prod for product? Why not fucking request .product?
The implications have been fucking horrendous. I am in the process of helping a mate unfuck his organisations DNS, which heavily relied on resolver search $FQDN to map xyz.prod to xyz.prod.$FQDN. Note this wasn’t even used as an internal TLD. Now they’re all resolving short names to 127.0.53.53. Lesson learnt; always use FQDN everywhere.
I’m just fucking sick of ICANN / Google continuing to fuck DNS.
LinuxQuestions user “fantasygoat” started a thread entitled “New tLD .prod is messing with my configs”, in which he wrote:
I used to be able to refer to just the subdomain in a DNS lookup, like “www1.prod” and it would know I meant “www1.prod.example.com”, my local domain. I’ve been using prod.example.com for decades as the production subdomain for various things.
Now it resolves to 127.0.53.53, which I believe is ICANN’s hack DNS answer for tLDs.
So, I have a bunch of config files without the domain name and it’s messing stuff up. Does anyone have a workaround so I can have my DNS respond to .prod requests as a subdomain of my domain?
I’ve found a couple of other examples on various mailing lists and web forums with systems administrators experiencing similar issues over the last week.
In each reported case of a .prod collision I’ve been able to find, the admin either had already worked out that he needed to use a fully-qualified domain name (eg www.prod.example.com instead of www.prod) or was swiftly advised to do so by those responding to his post.
Most seem to have spotted that instead of returning NXDOMAIN errors, Google is returning the IP address 127.0.53.53, which was chosen because it’s an internal IP and because 53 is the TCP/IP port number for DNS.
Diverting to 127.0.53.53 is designed to catch the eye, alerting admins to the need to correctly configure their networks.
It certainly seems to be doing that, but it’s not winning ICANN or new gTLD registries any new friends.
Nobody has yet reported death or injury due to a collision.
Update: There has been one previously reported collision, concerning .guru.