A Tale of a Trailing Dot (2022)
a year ago
- #Security
- #DNS
- #HTTP
- Trailing dots in host names affect DNS resolution, HTTP headers, cookies, and SNI in HTTPS.
- DNS treats 'example.com' and 'example.com.' the same, but multiple trailing dots are invalid.
- HTTP Host headers should include trailing dots if present in the URL, allowing servers to differentiate.
- Cookies ignore trailing dots, treating 'example.com' and 'example.com.' as the same domain.
- SNI in HTTPS strips trailing dots, preventing differentiation between dotted and non-dotted hostnames.
- curl initially stripped trailing dots, then reverted to keeping them due to compatibility issues.
- Trailing dots caused security vulnerabilities in curl (CVE-2022-27779 and CVE-2022-30115).
- Public Suffix List (PSL) prevents overly broad cookie domains but is optional in curl.
- HSTS and alt-svc handling also required adjustments for trailing dots.
- Trailing dots remain a complex and unresolved issue in internet protocols.