Dotless Domains
76 comments
·May 11, 2025notepad0x90
throwaway519
Wasn't Cloudflare supposed to prevent DDOSing?
It seems only a privacy leak tool now.
1000 requests / min @ 10ms limit / request. That's 16 requests per second. Any reasonable CMS, wiki or blogging tool should be able to do one request in 62.5ms. Add on cacheing for non logged in users and nginx serving anything static, that's less than the power a $5 VPS provides.
At these rates, the case for Cloudflare is a lot less than it was.
tonyhart7
"Wasn't Cloudflare supposed to prevent DDOSing?"
there a fine line between DDOS from bots and 30k real users accessing your site at the same time
cloudflare do not provide resource for the latter
pxeboot
The Cloudflare Workers free tier is not unlimited. They offer two options on how to handle the situation [1].
[1] https://developers.cloudflare.com/workers/platform/limits/#d...
nulbyte
> According to ICANN's SSAC,[1] SMTP requires at least two labels...
ICANN does not define SMTP, and the "relevant quote" from SSAC in the article footnotes mentions nothing about it, either.
In fact, RFC5321 makes explicit reference to the possibility of an email address using a TLD as the domain in section 2.3.5.
qingcharles
I've known people back in the 90s with user@tld domains, and they were definitely sending and receiving mail. So, even if it wasn't spec-compliant it certainly got through all the early mail relays.
I mean.. you can use emoji domains right now. They work most places for email. The part I found didn't work so well is emoji usernames on emoji domains. That has poor deliverability.
Joker_vD
> you can use emoji domains right now
ICANN, by the way, heavily discourages such domain names, even though it can't actually prohibit them: yes, RFC 5892 explicitly prohibits emoji code points in internationalized domain names but so what? If registrars allow (and many acually do allow) registration of such names that only means that they violate some RFC and they already violate quite a lot of them. Who cares! Just pay the money and we will delegate you whatever names you want.
null
FlamingMoe
I think this post is trending because of a comment on the announcement about the new Pope, where someone pointed out the redundancy in the vatican.va domain.
AStonesThrow
The vatican.va domain has long been an outlier for not operating a web server at that shortened address.
They insist on using the “www.vatican.va” only, and my browser’s autocomplete history reflects this.
rat87
> There 86 domains names starting with "www" in the .va zone,[6] with many more email-only subdomains.
tech234a
Similarly, browsers also accept IP addresses in decimal form, for example http://16843009 for 1.1.1.1
ranger207
Usually they'll also accept octal with a leading zero (010.010.010.010 is 8.8.8.8), hexadecimal with a leading 0x, and omitted 0 octets (127.1 is 127.0.0.1). IIRC these are all adopted from BSD's sockets library, or some similar early IP implementation
ryao
They will accept IPv4 addresses in IPv6 addresses too:
Sadly, cloudflare does not.
efitz
That is a syntactically and semantically valid IPv6 address; no browser trickery.
esperent
What's decimal form (base ten?) and why is that 16843009 the decimal form of 1.1.1.1?
fluidcruft
1.1.1.1 is 0x01010101 and 0x01010101 is 16843009 in decimal
esperent
> 1.1.1.1 is 0x01010101
Huh, in many years of web development I never knew that. Thanks!
ForOldHack
Um no. Parent is exactly right: p256^3+q256^2+r*256+s
itsgrimetime
00000001 00000001 00000001 00000001 = 16843009 in base 10 (concatenate each dot-separated 8bit number as one big base 10)
phanimahesh
IP addresses are 4 bytes, each in the range 0-255. In binary bits xyz would be equivalent to decimal x2^2+y2+z. Similarly, bytes abc would be equivalent to decimal a256^2+b256+c.
IP address p.q.r.s is decimal p256^3+q256^2+r*256+s.
90s_dev
I'm bad at math. What's the algorithm for this? Something about 256^(1..4)?
opello
You can think about it like the IP address in hex if you like: 0x01.0x01.0x01.0x01 becomes 0x01010101 which is 16,843,009. So the first 0x01 is 0x01000000 which is the familiar 16,777,216 which then gets the further "base 256 digits" added to it.
Or maybe in your terms it's 256^(0..3) where you can think of it like each dotted component is a symbol (like 0-9 in base 10) where each component is a position digit. Where the right-most element is the "256^0" ("ones") digit, and the left most element is the "256^3" ("16,777,216s") digit.
hug
IPs are 4 octets, normally represented as a decimal between 0 and 255, or 00000000 and 1111111 in binary.
Remove the dots and concat the binary value for 1.1.1.1 and you get 00000001000000010000000100000001.
Convert that binary value to decimal and you get 16843009.
davejagoda
echo 256^3+256^2+256^1+256^0|bc
16843009
90s_dev
Ha, then I was right, but with a one-off error!
hirsin
At one point we were looking at moving a bunch of separate domains under a single dotless domain, due to the threatened death of 3p cookies, so that cookies could be dropped directly onto the cctld (think "you're logged into the entire TLD"). As the owners of the cctld it felt like a neat use that technically could work but ICANN and other groups are explicitly against that.
To me it felt very AOL keyword
mattl
I think done well, AOL keywords are actually a good idea.
They could also cut down on the fraudulent websites out there.
Not sure how to fully implement it but given the safe browsing features already implemented in web browsers it could perhaps be part of that. Or a new TLD.
Animats
Most browsers treat one word not as a domain but as a search key. This was an issue when companies started getting their own TLDs. Could you just type "amazon" or "microsoft", which are TLDs, and go there without being diverted to a search engine? The answer is no. Even if you put a dot after the domain name.
DNS lookup and web browser domain lookup are not quite the same. This is the price of a unified input bar.
wibbily
Mobile Safari likes to do this to me w/ machines on my tailnet. Whether dropping "foo:8080" in the address bar takes me to the webserver or to Google is random and I swear there is no pattern
CraftThatBlock
At a previous company, our intrasite was a bare custom domain, and the most reliable way to get there was to add a / at the end. This is likely browser dependent though
tony-allan
Website is currently rate limited.
tzury
All domains including TLDs are sub domains of “.”
That’s why there is a trailing dot you see in NS records for example.
stackskipton
Trailing dot is complete record, don't add any search domains onto it. (https://en.wikipedia.org/wiki/Search_domain) It's why NS records should have trailing dot in return to prevent unexpected lookup behavior.
Technically you can put just hostname for CNAME record. Obviously, any clients that don't have that domain as search domain will fail but for internal domain, you could do it.
Salgat
Seems Chrome also adds the dot at the end in the address bar.
jfengel
Oh. Thank you. I had wondered.
90s_dev
Ahh, I actually ran into this question, at least indirectly, about a month ago!
I was writing an email validator for my project which I'm so excited to announce soon. And my research (some stackoverflow answers) suggested that, yeah, you can have "a@b" as a valid email, as long as there's a one-letter TLD that can have MX records.
Which it seems there can be!
So my email validator is essentially just /^.{1,}@.{1,}$/ ... yay.
gerdesj
I don't know if it is still required but hostnames used to require a minimum of two chars and the first shalt not be an integer. Given that DNS does not put a proper boundary on host/domain, that might extend to your top level ... thingie.
However, there is absolutely no technical reason that I can think of that precludes u@x. In the end DNS query -> DNS answer. Given that say, PowerDNS has LUA built in, I can make it respond with "my little pony's stable is in {random_country}" - to A record requests, which might make the requester a little queasy!
Bugger standards, they are so 1990s!
null
esperent
the first shalt not be an integer
I recently came across the 3.ie domain so I guess that's more of a guideline than rule.
AStonesThrow
I believe that the rule has been deprecated due to better parsing.
In the mid-90s, 3M was a customer of the ISP I worked for. Unable to procure the domain name “3m.com” they settled for the alternate “mmm.com”: mildly hilarious considering their lines of business.
qaisjp
out of curiosity, why are you trying to validate emails?
90s_dev
Just a base level regex before sending emails, to avoid some errors sending to non-email addresses and logging otherwise unnecessary errors.
esperent
The best you can hope to do is reduce a small class out of possible errors. But you'll never get a test that can prevent errors like name@gnail.com, name@gmaip.com, nane@gmail.com etc. So is it really worth doing any checks at all?
I have a .blue email address and it's amazing how many sites still won't accept it. I keep a spare Gmail account for these.
bch
Does this block things like the unconventional Google-filing trick of:
myemail+90sdev@gmail.com
qingcharles
Does your regex support emoji usernames and domains? (both of which are in use, e.g. https://mailoji.com/)
andrewmcwatters
You should know there is a standard regular expression for validating email addresses mentioned in an RFC.
90s_dev
I'm sure there is. And I'm sure many email servers deviate from it.
zoky
I had a teacher in high school who once wrote a URL on the whiteboard like this: com/foo/bar.html
Upon informing him that he had forgotten to write the domain, I learned that the site was actually www.com, and he had just left the http://www part off because “the web browser adds that automatically”. I assured him that, while in principle he was more or less correct, but in this case it wouldn’t work. He ended up adding the www, but I could tell he was skeptical that I was just being a smart ass.
zatkin
It's funny seeing that list of MX apex records. In response to me trying to show off how I had acquired a single letter domain, and had a single letter e-mail address (which resulted in *@*.**, replacing asterisks with letters), my boss showed how he was able to receive an e-mail address under one of those two-letter 'MX apex records'...
vzaliva
I knew someone who had email ??@ua (two letters masked for priivay) which might have been one of the shortest email addresses in the world. Unfortunately it was not very useful as most email systems failed to recognize it as a valid email address. :(
codethief
> two letters masked for priivay
You do realize there are not that many two-letter combinations…? :)
Does HN really have that many lurkers that it can can cause a hug-of-death on a website behind cloudflare like this??