[Dbound] dbound-problem_statement-v3.txt (was: Draft problem statement and IETF "bar BoF"

=JeffH <Jeff.Hodges@KingsMountain.com> Mon, 10 November 2014 00:24 UTC

Return-Path: <Jeff.Hodges@kingsmountain.com>
X-Original-To: dbound@ietfa.amsl.com
Delivered-To: dbound@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id C0CFB1A87CA for <dbound@ietfa.amsl.com>; Sun, 9 Nov 2014 16:24:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.832
X-Spam-Status: No, score=0.832 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, J_CHICKENPOX_37=0.6, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id 3vkft_TnV0Wj for <dbound@ietfa.amsl.com>; Sun, 9 Nov 2014 16:24:06 -0800 (PST)
Received: from gproxy8-pub.mail.unifiedlayer.com (gproxy8-pub.mail.unifiedlayer.com []) by ietfa.amsl.com (Postfix) with SMTP id C9C611A87C8 for <dbound@ietf.org>; Sun, 9 Nov 2014 16:24:05 -0800 (PST)
Received: (qmail 24779 invoked by uid 0); 10 Nov 2014 00:24:02 -0000
Received: from unknown (HELO cmgw2) ( by gproxy8.mail.unifiedlayer.com with SMTP; 10 Nov 2014 00:24:02 -0000
Received: from box514.bluehost.com ([]) by cmgw2 with id DcPy1p00L2UhLwi01cQ1kr; Sun, 09 Nov 2014 17:24:01 -0700
X-Authority-Analysis: v=2.1 cv=W5+rC3mk c=1 sm=1 tr=0 a=9W6Fsu4pMcyimqnCr1W0/w==:117 a=9W6Fsu4pMcyimqnCr1W0/w==:17 a=cNaOj0WVAAAA:8 a=f5113yIGAAAA:8 a=xk8Vn6ZJdw4A:10 a=IkcTkHD0fZMA:10 a=ieNpE_y6AAAA:8 a=XYUc-DgfXtMA:10 a=Fwsyk3WOAnQA:10 a=A1X0JdhQAAAA:8 a=QIhr-27iAAAA:8 a=kewnc1ipAAAA:8 a=O8BSH_48AAAA:8 a=7u2kzkQ9AAAA:8 a=W0ucIhDPAAAA:8 a=m9shYIPOAAAA:8 a=hL1costlTO4jggqM2XUA:9 a=JtmV564O68BcFxcx:21 a=EIy_EPdrT0WR5rjp:21 a=QEXdDO2ut3YA:10 a=e1i35A98MB8A:10 a=4rq7TwIXcRUA:10 a=9jDjnVP-S04A:10
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=kingsmountain.com; s=default; h=Content-Transfer-Encoding:Content-Type:Subject:To:MIME-Version:From:Date:Message-ID; bh=ZzneFSbRO+dAnxVIu7n6WnoBLyD0c5kcuLItHPtieGU=; b=grqAepfrHvaJkdtZx1FWLrnWkiGOPXVFLGA2PlIqATSuTSCs+WBhOCNxZS8qaMOn3c9ng8YJUDtLqSVzb/R4vLQVxLkrHgE76THHmBS3Dz1jlQe0Zv6mL+i9QeL2BV4y;
Received: from [] (port=49510 helo=[]) by box514.bluehost.com with esmtpsa (TLSv1.2:DHE-RSA-AES128-SHA:128) (Exim 4.82) (envelope-from <Jeff.Hodges@KingsMountain.com>) id 1Xnclz-0001E9-8g for dbound@ietf.org; Sun, 09 Nov 2014 17:23:59 -0700
Message-ID: <546005C4.3080200@KingsMountain.com>
Date: Sun, 09 Nov 2014 16:24:36 -0800
From: =JeffH <Jeff.Hodges@KingsMountain.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.2
MIME-Version: 1.0
To: dbound@ietf.org
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth authed with jeff.hodges+kingsmountain.com}
Archived-At: http://mailarchive.ietf.org/arch/msg/dbound/EATAhFdPIWOjroY5LbPUA9uwHsc
Subject: [Dbound] dbound-problem_statement-v3.txt (was: Draft problem statement and IETF "bar BoF"
X-BeenThere: dbound@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS tree bounds <dbound.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dbound>, <mailto:dbound-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dbound/>
List-Post: <mailto:dbound@ietf.org>
List-Help: <mailto:dbound-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dbound>, <mailto:dbound-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Nov 2014 00:24:09 -0000

I converted problem_statement-v3 to plain txt for convenience...

Defining and Signaling Relationships Between Domains

Casey Deccio     John Levine


Various Internet protocols and applications require some mechanism for
determining whether two Domain Name System (DNS) names are related. In
this document we formalize the types of domain name relationships,
identify protocols and applications requiring such relationships, review
current solutions, and describe the problems that need to be addressed.

1 Introduction

The use of various Internet protocols and applications has introduced
the desire and need for designated relationships between Domain Name
System (DNS) names, beyond the lineal relationship inherent in the names
themselves. While protocols, such as that used by HTTP Cookies, have
traditionally used ancestral relationships to determine allowable scope
of information sharing and authorization, there is an increasing need to
define relationships between arbitrary domains.

We begin by introducing terminology, after which we discuss known and
conceived applications for which domain relationships are desirable or
required. We then discuss the Public Suffix List, the primary solution
for domain relationships currently available. Finally, we define the
problems that need addressing in the context of prior sections.

1.1 Terminology

For consistency in language we define terms surrounding domain names.

1.1.1 Domains and Domain Names

A domain name is a sequence of dot-separated alphanumeric words, such as
www.example.com. A domain names parent is the domain name formed by
removing the leftmost label. The parent of www.example.com is
example.com. The domain of a domain name consists of the name itself and
all its descendants (children, grandchildren, and so on). The names
x.y.z.example.com and example.com are both in the example.com domain, but
of the two, only x.y.z.example.com is in the z.example.com domain. The
name example.org is in neither domain. The root domain name (“.”) is the
ancestor of all domain names, and its children are referred to as
top-level domains (TLDs). In a structural sense, the root is the top of
a tree, which recursively branches to each child, and a domain is the
complete subtree rooted at the name of that domain.

1.1.2 Public/private Boundaries

We refer to a domain name as having a public scope if the entity that
operates it allows the creation of children names by other entities;
otherwise, its scope is considered private. Domain names having public
and private scope may simply be referred to as public and private,
respectively. For example, many TLDs, including com, are public. Both
public and private domains may have either public and private children,
resulting in public domains within private domains and vice-versa.

1.1.3 Related Domains

We say that two domains are related if they are mutually and positively
associated with one another. For example, they might by the same entity
or that there are formal business or other relationships between the two
operating entities that require a positive association. In the most
lenient case, two domains, if related, are related for all purposes.
However, it is possible that two domains are related for explicitly
defined purposes.

1.1.4 Domain Relationships

Relationships between domains are natural, expected, and already exist.
Many relationships are hierarchical, i.e., following the ancestral
structure of the DNS tree, and many are not. Two related domains need
not be in the same scope.

Intra-domain Relationships: The most natural of relationships between
domains is when one is within the other, such as a parent/child
relationship. There are two major subclasses of intra-domain
relationships: those that cross domain scope, and those that are within
the same scope. In the former case, one or more boundaries exist between
the domains. For example, assuming example.com is a private domain name
under com (which is public), there is a change in scope from public to
private between com and example.com and thus a scope boundary between
the two.

Between two related domains within the same scope, there may be
organizational boundaries. For example, if foo.example.com, with private
scope, is operated by a business office of its parent organization,
which operates example.com, there might be policy or political
constraints for which an organizational boundary exists between the two.

Cross-domain Relationships: Relationships between non-overlapping
domains is also common. For example, example.com and example.org might
be operated by the same organization, but that organization uses them

2 Known Applications for Domain Relationships

2.1 HTTP Cookies

The DNS is used extensively in conjunction with the Hypertext Transfer
Protocol (HTTP). In addition to domain name resolution, the DNS is used
by HTTP clients for enforcing policy.

HTTP clients maintain local state in the form of key/value pairs known
as cookies. While most often cookies are initially set by HTTP servers,
HTTP clients send all cookies in HTTP requests for which the domain name
of the Uniform Resource Locator (URL) is within the the cookies’ scope.

The scope of a cookie is defined using a domain name in the “domain”
attribute of the cookie. When a cookie’s “domain” attribute is specified
as a domain name (as opposed to an Internet Protocol address), the
domain name in the URL is considered within scope if it is a descendent
of the “domain” attribute.

By policy, HTTP clients are not allowed to respect a cookie domain at the
TLD level or higher. Such domains have inherent public scope, and cookies
having such scope would enable the association of HTTP requests across
different, independently operated domains. This association raises
concerns of user privacy and security.

The TLD restriction alone is insufficient to address the privacy and
security concerns with cookies. For example, many country-code TLDs
(ccTLDs) designate public second-level domains (e.g., com.ac).
Additionally, relationships are only defined within the DNS hierarchy;
cross-domain relationships are not supported.

2.2 Email sender verification

An emerging sender verification called Domain-based Message
Authentication, Reporting and Conformance (DMARC) [1] attempts to
validate the domain name of the author’s address on the message’s “From:”
header using the DomainKeys Identified Email (DKIM) and Sender Policy
Framework (SPF) authentication schemes. A DKIM signature and SPF check
each validate a specific domain name. For DKIM it is the domain name
corresponding the DKIM signature. For SPF the domain name of the
message’s bounce address is validated. DMARC allows approximate matching
between the author’s domain and the validated domain, where one can be an
ancestor or descendant of the other.

Entry           | Meaning
example         | example is public
*.example       | All children of example are public
!foo.example    | foo.example is private

Table 1: Contrived PSL entries.

DMARC validators are supposed to ensure that the two domains are under
the same management, the specifics of which are deliberately left out of
the spec.

2.3 SSL certificate requests

Secure Socket Layer (SSL) certificate authorities typically validate
certificate signing requests by sending a confirmation message to one of
the WHOIS contacts for the (private scope) domain name [2]. In cases
where there are multiple levels of delegation (i.e., crossing
public/private scopes), the WHOIS contact needs to be the one for the
registrant of the domain, not a higher level registration.

When an SSL certificate is for a wildcard domain, the entire range of
names covered by the wildcard needs to be under the same control.
Authorities do not (knowingly) issue certificates for public domains
such as *.com.ac.

3 Public Suffix List

To further address HTTP security and privacy concerns surrounding cookie
  scope and use, a list of publix suffixes was developed by Mozilla
Firefox developers. This list, known as the Public Suffix List (PSL) [3],
is maintained with the Mozilla Firefox source code and includes a more
extended list of known public suffixes, so cookie policies originally
applied only to TLDs can be applied generally to identified public

The PSL includes placeholder public domains designated by “wildcard”
notation in the file, where a wildcard implies that all children of the
wildcards parent are in fact public domain names themselves–except where
otherwise noted as a wildcard exception. For example, we use the
contrived entries in Table 1 to demonstrate this use of the PSL. These
entries result in the scopes shown in Table 2:

Name                 | Scope -------------------------------------
example              | Public foo.example          | Private
baz.foo.example      | Private bar.example          | Public
baz.bar.example      | Private www.baz.bar.example  | Private

Table 2: Domain name scope based on the PSL entries from Table 1.

The PSL effectively identifies scope. Of the 6,823 entries in the PSL at
the time of this writing, all but 50 are used to designate unbroken
public scope from TLDs to the entry itself. The remainder designate
public scope below a private domain. The primary function of the PSL,
therefore, is to delineate the highest boundary between public and
private domain space. Secondarily it identifies public/private
boundaries at arbitrary levels in the DNS namespace. The issue of
determining relationships between domains that are lineally connected
(i.e., one is an ancestor of another) and within the same public/private
scope is not addressed by the PSL, nor is the issue of cross-domain

3.1 Usage

As alluded to previously, the PSL is used by several browsers, including
Mozilla Firefox, to identify domains as public or private. This is used
for validating the domain attribute of cookies. Additionally, it
provides visual and organizational convenience for readily identifying
the highest intra-scope private ancestor for a given private domain name.
This is useful for organizing names and URLs by domain name, as in
bookmarks, and for highlighting key parts of URLs or certificates in the
address bar or other parts of the browser interface.

Existing DMARC implementations are known to use the PSL to assert
positive association of SPF- or DKIM-authenticated validated domain
names with the domain name corrsponding to the address in the “From:”
header. Inferred relationships are simply derived from intra-domain
relationships for which scope boundaries are not crossed.

DMARC implementations also use the public suffix to identify the highest
intra-scope ancestor of a (private) domain name for the purpose of
looking up the DMARC DNS record. The the appropriate ancestor name is
identified it is appended to the label dmarc to find the appropriate
information in the DNS.

SSL certificate authorities use the PSL to ensure that wildcards are not
issued for public domain names.

4 Problem Statement

The PSL is the primary resource for determining public/private
boundaries. Public domains in unbroken public scope, as well as those
under islands of private scope, can both be designated in the PSL.
However, that is the extent of its capabilities.

We propose the following with regard to domain relationships:

• Evaluate the effectiveness of the current PSL at performing the
   functions within its scope.

• Evaluate the effectiveness of the maintenance and distribution
   of the PSL.

• Determine demand for domain relationship identification other
   than that provided by the PSL.

• Identify solutions to replace, extend, improve, or complement the
   functionality, maintenance, or distribution of the PSL according
   to perceived demands.

4.1 Considerations

Considerations on evaluation of existing solutions and development of new
solutions include the following:

Online vs. offline lookups:

Online publication and detection of domain relationships (e.g., as
entries in the DNS) has the advantage of rapid dissemination of changes.
Fresh information can be retrieved as soon as it has been published and
prior versions have expired. However, online publication can make offline
lookups difficult or impossible. For a resource of capped scope, such as
the current PSL, embedding and periodic synchronization of the list for
offline use is feasible, e.g., through incremental or full transfer.
Online schemes for detecting other relationships might not have such
clear delineators, making offline use less practical. Additionally,
online detection can be chatty and add desired.

Centralized vs. distributed maintenance and distribution:

Centralized maintenance of a lookup service can be perceived as a
bottleneck, particularly for the general topic of domain name
relationships. If maintained in a distributed system, such as the DNS,
the burden and responsibility of updating is decentralized and falls
under the entity which controls the component of the service to which
the lookup is directed, allowing it to scale. However, if the scope is
fixed, as it is with the current PSL, scalability might not be a concern.
In such cases, good practice, administered centrally, can potentially
outweigh the benefits of de-centralized service. For example, version
control and transparency, association of changes to a software release,
and general system consistency are all exemplified by the current PSL.

Scope and scalability associated with new generic TLDs:

While traditionally TLDs have been implicitly considered public scope,
the Internet Corporation for Assigned Names and Numbers’ (ICANN’s) new
generic TLD (gTLD) program [4] has introduced a new class of TLDs, whose
scope may differ from the norm. Depending on how delegations are handled
in each, this addition might raise new scalability questions with regard
to domain name scope boundaries (e.g., that provided by the PSL) or
general domain relationship identification.


[1] <http://www.dmarc.org/>

[2] See the Certificate Authority (CA)/Browser Forum’s Ballot 74 for a
more detailed definition of “Domain Authorization Document” at


[3] See <http://publicsuffix.org/>

[4] See <http://newgtlds.icann.org/en/>