Does HN really have that many lurkers that it can can cause a hug-of-death on a website behind cloudflare like this??
throwaway519 · 1h ago
Wasn't Cloudflare supposed to prevent DDOSing?
It seems only a privacy leak tool now.
1000 requests / min @ 10ms limit / request. That's 16 requests per second. Any reasonable CMS, wiki or blogging tool should be able to do one request in 62.5ms. Add on cacheing for non logged in users and nginx serving anything static, that's less than the power a $5 VPS provides.
At these rates, the case for Cloudflare is a lot less than it was.
tonyhart7 · 39m ago
"Wasn't Cloudflare supposed to prevent DDOSing?"
there a fine line between DDOS from bots and 30k real users accessing your site at the same time
cloudflare do not provide resource for the latter
ezfe · 23m ago
This isn’t a performance hug of death, it’s a rate limit one.
mklepaczewski · 33m ago
62.5ms for a non-cached request? In my experience that’s really fast response time for a blog even on a dedicated bare-metal server.
franga2000 · 4m ago
Looks like it's not "behind cloudflare", but served using Cloudflare Workers. Probably on the free tier, which is capped at 100000 req/day.
pxeboot · 1h ago
The Cloudflare Workers free tier is not unlimited. They offer two options on how to handle the situation [1].
User would have to enable caching in CF and the response from the server would have to be cacheable for CF for caching to kick in.
nulbyte · 3h ago
> According to ICANN's SSAC,[1] SMTP requires at least two labels...
ICANN does not define SMTP, and the "relevant quote" from SSAC in the article footnotes mentions nothing about it, either.
In fact, RFC5321 makes explicit reference to the possibility of an email address using a TLD as the domain in section 2.3.5.
qingcharles · 2h ago
I've known people back in the 90s with user@tld domains, and they were definitely sending and receiving mail. So, even if it wasn't spec-compliant it certainly got through all the early mail relays.
I mean.. you can use emoji domains right now. They work most places for email. The part I found didn't work so well is emoji usernames on emoji domains. That has poor deliverability.
Joker_vD · 38m ago
> you can use emoji domains right now
ICANN, by the way, heavily discourages such domain names, even though it can't actually prohibit them: yes, RFC 5892 explicitly prohibits emoji code points in internationalized domain names but so what? If registrars allow (and many acually do allow) registration of such names that only means that they violate some RFC and they already violate quite a lot of them. Who cares! Just pay the money and we will delegate you whatever names you want.
No comments yet
FlamingMoe · 3h ago
I think this post is trending because of a comment on the announcement about the new Pope, where someone pointed out the redundancy in the vatican.va domain.
Similarly, browsers also accept IP addresses in decimal form, for example http://16843009 for 1.1.1.1
bingo-bongo · 2h ago
And the shortened form, eg. http://127.1/ (for 127.0.0.1)
leshokunin · 2h ago
TIL
ranger207 · 2h ago
Usually they'll also accept octal with a leading zero (010.010.010.010 is 8.8.8.8), hexadecimal with a leading 0x, and omitted 0 octets (127.1 is 127.0.0.1). IIRC these are all adopted from BSD's sockets library, or some similar early IP implementation
ryao · 1h ago
They will accept IPv4 addresses in IPv6 addresses too:
What's decimal form (base ten?) and why is that 16843009 the decimal form of 1.1.1.1?
fluidcruft · 3h ago
1.1.1.1 is 0x01010101 and 0x01010101 is 16843009 in decimal
esperent · 1h ago
> 1.1.1.1 is 0x01010101
Huh, in many years of web development I never knew that. Thanks!
ForOldHack · 1h ago
Um no.
Parent is exactly right:
p256^3+q256^2+r*256+s
bawolff · 1h ago
Both of these are the same thing
itsgrimetime · 3h ago
00000001 00000001 00000001 00000001 = 16843009 in base 10 (concatenate each dot-separated 8bit number as one big base 10)
phanimahesh · 3h ago
IP addresses are 4 bytes, each in the range 0-255. In binary bits xyz would be equivalent to decimal x2^2+y2+z. Similarly, bytes abc would be equivalent to decimal a256^2+b256+c.
IP address p.q.r.s is decimal p256^3+q256^2+r*256+s.
90s_dev · 3h ago
I'm bad at math. What's the algorithm for this? Something about 256^(1..4)?
opello · 3h ago
You can think about it like the IP address in hex if you like: 0x01.0x01.0x01.0x01 becomes 0x01010101 which is 16,843,009. So the first 0x01 is 0x01000000 which is the familiar 16,777,216 which then gets the further "base 256 digits" added to it.
Or maybe in your terms it's 256^(0..3) where you can think of it like each dotted component is a symbol (like 0-9 in base 10) where each component is a position digit. Where the right-most element is the "256^0" ("ones") digit, and the left most element is the "256^3" ("16,777,216s") digit.
hug · 3h ago
IPs are 4 octets, normally represented as a decimal between 0 and 255, or 00000000 and 1111111 in binary.
Remove the dots and concat the binary value for 1.1.1.1 and you get 00000001000000010000000100000001.
Convert that binary value to decimal and you get 16843009.
davejagoda · 3h ago
echo 256^3+256^2+256^1+256^0|bc
16843009
90s_dev · 3h ago
Ha, then I was right, but with a one-off error!
hirsin · 2h ago
At one point we were looking at moving a bunch of separate domains under a single dotless domain, due to the threatened death of 3p cookies, so that cookies could be dropped directly onto the cctld (think "you're logged into the entire TLD"). As the owners of the cctld it felt like a neat use that technically could work but ICANN and other groups are explicitly against that.
To me it felt very AOL keyword
mattl · 1h ago
I think done well, AOL keywords are actually a good idea.
They could also cut down on the fraudulent websites out there.
Not sure how to fully implement it but given the safe browsing features already implemented in web browsers it could perhaps be part of that. Or a new TLD.
Animats · 1h ago
Most browsers treat one word not as a domain but as a search key. This was an issue when companies started getting their own TLDs. Could you just type "amazon" or "microsoft", which are TLDs, and go there without being diverted to a search engine? The answer is no. Even if you put a dot after the domain name.
DNS lookup and web browser domain lookup are not quite the same. This is the price of a unified input bar.
wibbily · 1h ago
Mobile Safari likes to do this to me w/ machines on my tailnet. Whether dropping "foo:8080" in the address bar takes me to the webserver or to Google is random and I swear there is no pattern
dgellow · 1h ago
in my experience you have to explicitly add the https:// prefix to get it to consistently load the address
CraftThatBlock · 1h ago
At a previous company, our intrasite was a bare custom domain, and the most reliable way to get there was to add a / at the end. This is likely browser dependent though
tzury · 3h ago
All domains including TLDs are sub domains of “.”
That’s why there is a trailing dot you see in NS records for example.
stackskipton · 2h ago
Trailing dot is complete record, don't add any search domains onto it. (https://en.wikipedia.org/wiki/Search_domain) It's why NS records should have trailing dot in return to prevent unexpected lookup behavior.
Technically you can put just hostname for CNAME record. Obviously, any clients that don't have that domain as search domain will fail but for internal domain, you could do it.
Salgat · 2h ago
Seems Chrome also adds the dot at the end in the address bar.
jfengel · 2h ago
Oh. Thank you. I had wondered.
90s_dev · 3h ago
Ahh, I actually ran into this question, at least indirectly, about a month ago!
I was writing an email validator for my project which I'm so excited to announce soon. And my research (some stackoverflow answers) suggested that, yeah, you can have "a@b" as a valid email, as long as there's a one-letter TLD that can have MX records.
Which it seems there can be!
So my email validator is essentially just /^.{1,}@.{1,}$/ ... yay.
gerdesj · 3h ago
I don't know if it is still required but hostnames used to require a minimum of two chars and the first shalt not be an integer. Given that DNS does not put a proper boundary on host/domain, that might extend to your top level ... thingie.
However, there is absolutely no technical reason that I can think of that precludes u@x. In the end DNS query -> DNS answer. Given that say, PowerDNS has LUA built in, I can make it respond with "my little pony's stable is in {random_country}" - to A record requests, which might make the requester a little queasy!
Bugger standards, they are so 1990s!
esperent · 3h ago
the first shalt not be an integer
I recently came across the 3.ie domain so I guess that's more of a guideline than rule.
AStonesThrow · 1h ago
I believe that the rule has been deprecated due to better parsing.
In the mid-90s, 3M was a customer of the ISP I worked for. Unable to procure the domain name “3m.com” they settled for the alternate “mmm.com”: mildly hilarious considering their lines of business.
qaisjp · 3h ago
out of curiosity, why are you trying to validate emails?
90s_dev · 3h ago
Just a base level regex before sending emails, to avoid some errors sending to non-email addresses and logging otherwise unnecessary errors.
esperent · 3h ago
The best you can hope to do is reduce a small class out of possible errors. But you'll never get a test that can prevent errors like name@gnail.com, name@gmaip.com, nane@gmail.com etc. So is it really worth doing any checks at all?
I have a .blue email address and it's amazing how many sites still won't accept it. I keep a spare Gmail account for these.
arp242 · 2h ago
> So is it really worth doing any checks at all?
People accidentally typing their name in the email field, stuff like that. I've done that.
The problems with your .blue is obviously completely unrelated to the "email.contains('@')" check the poster is doing.
90s_dev · 2h ago
I resent being called a poster! I am not flat, nothing was ever printed on me. I am a human being, you.. you... you piece of sheet!
90s_dev · 2h ago
The downvotes are a sign that I did not notice that my reply to the poster was not composed. I got the memo, and will take note from now on, mark my words!
qingcharles · 2h ago
.blue is 11 years old and still has issues. Same with several of the gtlds I have. I had an argument with a major backend email provider recently who refused to open an account for me as my gtld wasn't "valid." (they backed down eventually and fixed their code)
I keep a Gmail for the same reason.
I tried to add a .wiki link to a Reddit profile recently and their filters also say that domain is invalid.
jjani · 2h ago
> I tried to add a .wiki link to a Reddit profile recently and their filters also say that domain is invalid.
That's absurd, there's a .wiki that's almost definitely in the top 20 most visited websites in Korea, if not higher.
HeliumHydride · 2h ago
There's also minecraft.wiki.
90s_dev · 2h ago
In other words, /^.+?@.+$/ is a user-friendly reminder that you forgot the @ sign or something. That's all.
bch · 3h ago
Does this block things like the unconventional Google-filing trick of:
myemail+90sdev@gmail.com
which gives me the “90sdev” tag for my emails, which still go squarely into my “myemail@gmail.com” address? I don’t know what the best route is, but I’ve certainly run into bad validators that block things that otherwise work, and that’s annoying. It seems to me the best thing might be to have a user twice input their address, then have the next step/confirmation done via email.
90s_dev · 3h ago
I don't do blocking or differentiating. Emails are literal, for better or worse.
esperent · 3h ago
> bad validators
Possibly these validators are working exactly as intended and don't want you to know which service sold your email to spammers.
Then again maybe spammers are smart enough to strip of the + from email lists they purchase.
qingcharles · 2h ago
Does your regex support emoji usernames and domains? (both of which are in use, e.g. https://mailoji.com/)
90s_dev · 2h ago
My project doesn't even support emojis or unicode. In context, it's not an issue.
You should know there is a standard regular expression for validating email addresses mentioned in an RFC.
90s_dev · 3h ago
I'm sure there is. And I'm sure many email servers deviate from it.
zoky · 2h ago
I had a teacher in high school who once wrote a URL on the whiteboard like this: com/foo/bar.html
Upon informing him that he had forgotten to write the domain, I learned that the site was actually www.com, and he had just left the http://www part off because “the web browser adds that automatically”. I assured him that, while in principle he was more or less correct, but in this case it wouldn’t work. He ended up adding the www, but I could tell he was skeptical that I was just being a smart ass.
vzaliva · 2h ago
I knew someone who had email ??@ua (two letters masked for priivay) which might have been one of the shortest email addresses in the world. Unfortunately it was not very useful as most email systems failed to recognize it as a valid email address. :(
codethief · 1h ago
> two letters masked for priivay
You do realize there are not that many two-letter combinations…? :)
zatkin · 1h ago
It's funny seeing that list of MX apex records. In response to me trying to show off how I had acquired a single letter domain, and had a single letter e-mail address (which resulted in *@*.**, replacing asterisks with letters), my boss showed how he was able to receive an e-mail address under one of those two-letter 'MX apex records'...
geor9e · 1h ago
My uncle had one of these in the 90s. All I knew was he was a higher up at the university in his smallish country, and ran their internet stuff. It confused the heck out of me when he verbally told me to bring his website up at Thanksgiving dinner, and after I typed a dot, he said "no no, no dot. just enter" And it worked. Baffled me as a kid. Nice to finally have some explaination for that fever dream of a memory.
webprofusion · 1h ago
Slashdotted
sebmellen · 1h ago
Temporarily rate limited?
kreativ_py · 2h ago
yea the people at uz have no idea what theyre doing lmao
It seems only a privacy leak tool now.
1000 requests / min @ 10ms limit / request. That's 16 requests per second. Any reasonable CMS, wiki or blogging tool should be able to do one request in 62.5ms. Add on cacheing for non logged in users and nginx serving anything static, that's less than the power a $5 VPS provides.
At these rates, the case for Cloudflare is a lot less than it was.
there a fine line between DDOS from bots and 30k real users accessing your site at the same time
cloudflare do not provide resource for the latter
[1] https://developers.cloudflare.com/workers/platform/limits/#d...
ICANN does not define SMTP, and the "relevant quote" from SSAC in the article footnotes mentions nothing about it, either.
In fact, RFC5321 makes explicit reference to the possibility of an email address using a TLD as the domain in section 2.3.5.
I mean.. you can use emoji domains right now. They work most places for email. The part I found didn't work so well is emoji usernames on emoji domains. That has poor deliverability.
ICANN, by the way, heavily discourages such domain names, even though it can't actually prohibit them: yes, RFC 5892 explicitly prohibits emoji code points in internationalized domain names but so what? If registrars allow (and many acually do allow) registration of such names that only means that they violate some RFC and they already violate quite a lot of them. Who cares! Just pay the money and we will delegate you whatever names you want.
No comments yet
They insist on using the “www.vatican.va” only, and my browser’s autocomplete history reflects this.
https://www.vatican.va/siti_va/index_va_en.htm
https://archive.is/MDRWw
http://[::ffff:1.1.1.1]/
Sadly, cloudflare does not.
Huh, in many years of web development I never knew that. Thanks!
IP address p.q.r.s is decimal p256^3+q256^2+r*256+s.
Or maybe in your terms it's 256^(0..3) where you can think of it like each dotted component is a symbol (like 0-9 in base 10) where each component is a position digit. Where the right-most element is the "256^0" ("ones") digit, and the left most element is the "256^3" ("16,777,216s") digit.
Remove the dots and concat the binary value for 1.1.1.1 and you get 00000001000000010000000100000001.
Convert that binary value to decimal and you get 16843009.
16843009
To me it felt very AOL keyword
They could also cut down on the fraudulent websites out there.
Not sure how to fully implement it but given the safe browsing features already implemented in web browsers it could perhaps be part of that. Or a new TLD.
DNS lookup and web browser domain lookup are not quite the same. This is the price of a unified input bar.
That’s why there is a trailing dot you see in NS records for example.
Technically you can put just hostname for CNAME record. Obviously, any clients that don't have that domain as search domain will fail but for internal domain, you could do it.
I was writing an email validator for my project which I'm so excited to announce soon. And my research (some stackoverflow answers) suggested that, yeah, you can have "a@b" as a valid email, as long as there's a one-letter TLD that can have MX records.
Which it seems there can be!
So my email validator is essentially just /^.{1,}@.{1,}$/ ... yay.
However, there is absolutely no technical reason that I can think of that precludes u@x. In the end DNS query -> DNS answer. Given that say, PowerDNS has LUA built in, I can make it respond with "my little pony's stable is in {random_country}" - to A record requests, which might make the requester a little queasy!
Bugger standards, they are so 1990s!
I recently came across the 3.ie domain so I guess that's more of a guideline than rule.
In the mid-90s, 3M was a customer of the ISP I worked for. Unable to procure the domain name “3m.com” they settled for the alternate “mmm.com”: mildly hilarious considering their lines of business.
I have a .blue email address and it's amazing how many sites still won't accept it. I keep a spare Gmail account for these.
People accidentally typing their name in the email field, stuff like that. I've done that.
The problems with your .blue is obviously completely unrelated to the "email.contains('@')" check the poster is doing.
I keep a Gmail for the same reason.
I tried to add a .wiki link to a Reddit profile recently and their filters also say that domain is invalid.
That's absurd, there's a .wiki that's almost definitely in the top 20 most visited websites in Korea, if not higher.
Possibly these validators are working exactly as intended and don't want you to know which service sold your email to spammers.
Then again maybe spammers are smart enough to strip of the + from email lists they purchase.
Upon informing him that he had forgotten to write the domain, I learned that the site was actually www.com, and he had just left the http://www part off because “the web browser adds that automatically”. I assured him that, while in principle he was more or less correct, but in this case it wouldn’t work. He ended up adding the www, but I could tell he was skeptical that I was just being a smart ass.
You do realize there are not that many two-letter combinations…? :)