DRAFT: Limit Max Character Length of Tezos Domains

Pegboard8489 · May 20, 2025, 2:40pm

Voting period: [14 days]

Categories:

Social Proposal
Request for Action
Constitution Amendment

Abstract:

This proposal seeks to implement a maximum character limit for Tezos domains. The primary aim is to prevent the registration of domains that could mimic or closely resemble Tezos addresses, thereby enhancing user security and reducing the potential for confusion or malicious activities such as phishing.

By establishing a clear upper boundary for domain length, significantly shorter than the 36 characters of a Tezos address, we can improve the clarity and trustworthiness of the Tezos domain ecosystem.

Rationale:

The necessity for this proposal stems from a potential security vulnerability. Currently, Tezos domains can be registered with a length that might allow them to appear very similar to a standard 36-character Tezos address. This ambiguity could be exploited by malicious actors to deceive users, for instance, by creating a domain that an individual might mistake for an actual Tezos wallet address, leading to misdirected funds or other fraudulent activities.

Implementing a maximum character limit, for example, 20 characters (excluding “.tez”), would create a distinct visual and practical difference between domain names and Tezos addresses. This proactive measure would bolster user confidence and contribute to a safer environment for all participants in the Tezos ecosystem.

Details:

Proposed Maximum Length: It is suggested to set the maximum character length for Tezos domains to 20 characters (excluding the “.tez” suffix). This figure is proposed as a starting point for community discussion and can be adjusted based on feedback. The key is that it should be substantially less than 36 characters.
Community Consultation: It is vital that this proposal undergoes thorough discussion within the Tezos Domains community forum. Feedback should be actively sought to determine the optimal maximum character length that balances usability with the desired security enhancement.
Technical Assessment: The Tezos Domains Foundation (TDF) or relevant technical teams should assess the implications of this change to ensure a smooth and effective implementation.

Timeline:

Proposal Draft Submission: 20 May 2025
Draft Discussion Period (minimum 7 days): 20 May 2025 – 27 May 2025
Move to ACTIVE stage (voting period begins, 14 days): 28 May 2025 – 10 June 2025
Proposal Outcome Confirmation (ACCEPTED/REJECTED): 11 June 2025
Execution Planning/Preparation (if ACCEPTED, 7 days): 11 June 2025 – 18 June 2025
Execution of Changes (if ACCEPTED): Commencing 19 June 2025, with an estimated completion by 03 July 2025.

Specification:

Action #1: Amend the Tezos Domains smart contract (specifically the TLDRegistrar configuration) to enforce a maximum character limit for all new domain registrations.
Action #2: Set the aforementioned maximum character limit to 20 characters (this value is subject to community discussion and final agreement before implementation). This limit applies to the part of the domain name before “.tez”.
Action #3: Update any relevant documentation and user interface elements within the Tezos Domains application to reflect this new limitation.

scalemodal · May 20, 2025, 3:08pm

Sounds good, if this kind of phishing is a real thing. Also, to define how “significant”, if 20 characters is needed limit or overdoing. Ideally, we should review existing domains of similar length and consider any potential renewal issues if these changes are applied.

Pegboard8489 · May 20, 2025, 3:12pm

I think even if it’s not a problem yet, getting ahead of the problem is a worthy effort.

I do appreciate dealing with existing domains of similar length and renewal IS going to be a tricky task that I unfortunately do not have an answer to other than suggesting removing any domain someone can’t prove they own the address to, as that is clearly a phishing attempt.

However, I also don’t even know if such a proposal/option is possible/could be implemented.

Snorlax.tez · May 20, 2025, 3:29pm

I’ve never seen anyone get phished using a .tez domain that mimics a user’s wallet address, or any other blockchain domain TLD, for that matter. These types of scams would require a significant amount of information and coordination to pull off, including injecting a copy/paste script tailored to a particular individual. In most cases, this method is far less effective due to its complexity, and most users likely to be targeted would probably notice the .tez domain before being a victim.

Not only this, but it would really be up to the wallets that enable .tez to provide some type of message to check legitimacy of the address before sending & the fact that if the .tez was lets say 20 characters, they could still make a domain like tz1VSUr8wwNhLAzempoch.tez for the wallet address tz1VSUr8wwNh5d6hLRiTh8CjcjbLAzempoch and some wallets/platforms may display it as tz1VSU…Azempoch(.tez) which would still look the same as their wallet address, so it might just be pointless to create such a restriction of names, it all boils down to users looking at what they are doing and even more reason to own a short Tezos Domain…

Pegboard8489 · May 20, 2025, 3:40pm

My primary concern remains the proactive prevention of Tezos domains being registered that, in their full and untruncated form, could closely mimic the 36-character length and structure of actual Tezos addresses (e.g., a 36-character domain starting ‘tz1’).

While I understand your points regarding the current perceived unlikelihood of such attacks, @Snorlax.tez , though it is worth noting that a lack of direct observation does not entirely preclude the possibility of such incidents occurring or the potential for future exploitation, and the separate issue of UI truncation, my proposal focuses on the foundational registration level.

The core aim is to eliminate the possibility of registering a domain that is itself a 36-character string directly resembling a full Tezos address. Leaving this avenue open, now that it has been highlighted, might inadvertently suggest that registering a domain which mirrors another individual’s Tezos address (which they do not own or control) is permissible, which I’d hope Tezos Domain was against, no matter how likely/unlikely such a phishing attack is.

This suggested limitation is intended as a complementary, system-level safeguard. It aims to reduce one specific potential avenue for deception by ensuring a clearer distinction between domain names and full address strings as they are registered, contributing to a more robust and trustworthy ecosystem.

Topic		Replies	Views
CANCELLED: Optimizing Tezos Domains Registration and Renewal Interface to Encourage Longer Registration Periods Proposals	15	115	April 21, 2025
DRAFT: 1D Temporary Domain Stay; Partial P-014 Stop Execution Proposals	6	33	November 28, 2024
DRAFT: Selling released 1D names Proposals	2	39	January 23, 2025
DRAFT: Phased Implementation and Refinement of Premium Domain Rollout Proposals	0	32	November 24, 2024
DRAFT: Halt the Sale of 1-Character and 2-Character Domains and Realign Strategy for Long-Term Success Proposals	3	30	December 22, 2024