Re: [DNSOP] Special-use TLDs in resolvers

Joe Abley <> Fri, 16 August 2019 15:56 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id BD1021207FC for <>; Fri, 16 Aug 2019 08:56:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id jfqWRO1bku_S for <>; Fri, 16 Aug 2019 08:56:47 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::d31]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 45EAD12029C for <>; Fri, 16 Aug 2019 08:56:47 -0700 (PDT)
Received: by with SMTP id 18so7137655ioe.10 for <>; Fri, 16 Aug 2019 08:56:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=/zNAI1ioMCNvARhp6zhYAcy2m6d4SyVZxkQlGUpE5HE=; b=J+pFuX3QMAajy9hVbrdPcldvGbRrgKIvELzGpMZqqYMCSMkYU3CkQODNY76yJhtZFh AjhNHj2fq1XEEm/V3vKlilCgDweQowTE7lL7SmFUpbanry5LQxof4kgkT2fBkh0otQdZ WdKhFXQEwxYxtXOlsED4UG9prFeSN6RkuVNvY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=/zNAI1ioMCNvARhp6zhYAcy2m6d4SyVZxkQlGUpE5HE=; b=AVbLCInivfHeTjcRFCRUYtBm4oyetPWvHw9rydqH2xtBLt1AcBhrSysSrxQ+LjAGyU JB4eMgiUftL9oYvtIHQVAh6A7ZQTVVhouNdb+h1ZIvN5/NhTQDH7bcrv0QvyohcZONxa sf6OOv3zcw8FHbYr5ukULpF/7Wc+ycxi3dIPiybfOCBCjaq0892Is55WWRWJGkK9ewt5 fYXFquUPCr5boGGxsARE+hyqY99kp4xrBfpG32PjFvyzp362+eg2lnVEFYKyDamFtj0P ZG+56BGdb8lKMIV8vwRtsJ+drCi/IH0e0ggZ4EymTCWJWKR5UVN0Tw52V2k9xA1jeC4i 6SAQ==
X-Gm-Message-State: APjAAAVeunqm1Y1YQCdXmTwt0bPlE6V2Wi8Qsi0+GA5XvNyVvdEnbVhQ /GX29kRDC1Uk4UhY4iT8Hldt8diLak3Aurx+
X-Google-Smtp-Source: APXvYqz5bAv0n3R11xk/DbpjvwSl90pFtSROBMvL/+ejQNEh+XwCP6RmBeYF1rcIYzmuDgpSOZOZmw==
X-Received: by 2002:a5d:9703:: with SMTP id h3mr680097iol.152.1565971006458; Fri, 16 Aug 2019 08:56:46 -0700 (PDT)
Received: from ?IPv6:2607:f2c0:e786:128f:80ee:69e7:9906:351e? ([2607:f2c0:e786:128f:80ee:69e7:9906:351e]) by with ESMTPSA id w5sm9488899iom.33.2019. (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 16 Aug 2019 08:56:45 -0700 (PDT)
From: Joe Abley <>
Message-Id: <>
Content-Type: multipart/signed; boundary="Apple-Mail=_6FA26DEE-24F4-48C7-8C2B-EAD5144A967E"; protocol="application/pgp-signature"; micalg=pgp-sha1
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Fri, 16 Aug 2019 11:56:43 -0400
In-Reply-To: <>
Cc: Andrew Sullivan <>, dnsop <>
To: Steve Crocker <>
References: <> <> <>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <>
Subject: Re: [DNSOP] Special-use TLDs in resolvers
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 16 Aug 2019 15:56:49 -0000

On 16 Aug 2019, at 10:59, Steve Crocker <> wrote:

> At the risk of revealing that I haven't been following this thread carefully, I don't understand how a resolver is supposed to know all of the special names.  Resolvers that are configured to know that invalid, local, onion, and test are special will not know about the next name that's put on the special list.

The pragmatic answer right now is that vendors and package maintainers do a good job with their default configurations. DNS software tends to get upgraded frequently enough in applications with significant user bases that this goes some of the distance.

I can see your point though that there might be some merit in having a way to retrieve a current list, or at least telling whether the list you have is up-to-date. I don't know that I think it's a particularly pressing problem though (I think DNSSEC trust anchor distribution for the root zone is higher up the priority list, for example).