Re: [DNSOP] additional special names Fwd: I-D Action: draft-chapin-additional-reserved-tlds-00.txt

Warren Kumari <> Sun, 02 March 2014 22:20 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 9FDFF1A0B5C for <>; Sun, 2 Mar 2014 14:20:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.079
X-Spam-Status: No, score=-0.079 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id wu1mXrVkcALp for <>; Sun, 2 Mar 2014 14:20:51 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 64ED11A0B51 for <>; Sun, 2 Mar 2014 14:20:51 -0800 (PST)
Received: by with SMTP id a1so2381343wgh.22 for <>; Sun, 02 Mar 2014 14:20:48 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=ZgxU/IdAEYYsAK1BD+/GbTsXujAi3vXM0A4rKq3yed4=; b=aYxAU58NrN1Dt73qHZTF0Tr+kH6nFBWuV420vJJ4sbm5PXvfAdTFNTNhYNjUlgVhkO qVM0c6Dmk/mSDQooxMr/5/t/ESy7UYXhDY1kwGOjpki7JDa4XwOaWOBCvzP+TJC2m2mn 45+SS7E21heZYobytQCzli0s3CyVqg9/nlFoJ662o3m9UbHAQtbtTyAXzfEZJKUriDLH 5tjWo0B/ZG9/m9jvIbZ9eDWRz0jSjxoXMmR6qGgeACTCKRmSbY6c00cfzMPlpjBquEgc fBBQAMmRjkoGVirxUonNGORFAG+sACEuy+kTbG9xZ8R0HsiOxCy0wSD0oEByXaY8LNl8 +vzg==
X-Gm-Message-State: ALoCoQkX/O3e5K3bmJHkY0qTkB/DCJ6UkBd0qfS4anKT6aDP4s9xF7uB97kAgn1LZSc+Fkha5Kp1
MIME-Version: 1.0
X-Received: by with SMTP id ex7mr12173670wjd.3.1393798848228; Sun, 02 Mar 2014 14:20:48 -0800 (PST)
Received: by with HTTP; Sun, 2 Mar 2014 14:20:48 -0800 (PST)
X-Originating-IP: []
In-Reply-To: <>
References: <20140129055438.2402.qmail@joyce.lan> <> <> <> <> <>
Date: Sun, 2 Mar 2014 22:20:48 +0000
Message-ID: <>
From: Warren Kumari <>
To: Joe Abley <>
Content-Type: text/plain; charset=ISO-8859-1
Cc: Stuart Cheshire <>, " WG" <>, David Conrad <>
Subject: Re: [DNSOP] additional special names Fwd: I-D Action: draft-chapin-additional-reserved-tlds-00.txt
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 02 Mar 2014 22:20:54 -0000

On Wed, Feb 26, 2014 at 2:34 PM, Joe Abley <> wrote:
> On 26 Feb 2014, at 5:03, Mark Andrews <> wrote:
>> In message <>rg>, David Conrad
>> writes:
>>> On Feb 25, 2014, at 9:51 AM, Stuart Cheshire <> wrote:
>>>> If we have *some* pseudo-TLDs reserved for local-use names,
>>> I would think =
>>> s would be appropriate for this purpose.
>>> Regards,
>>> -drc
>> Whatever is used needs to be insecurely delegated so that in app
>> validation will work.
> I still don't see why we need a TLD, or a delegation/reservation under ARPA.
> There are many, many TLDs under which an application/protocol implementer can reserve some namespace for their exclusive use at low cost ($10/year, say). Why is this approach not preferred for a new application/protocol? It seems far simpler.

Yes, and it is -- but it means that leakages hit more folk.

> Perhaps all that is missing is some guidance that says "you shouldn't hijack namespaces that you don't control, even for non-DNS applications; register a domain instead".

Because for some things, people specifically do *not* want it to hit /
go through the DNS -- this is why they have done this, and *not* just
registered e.g

For example, I'm a  *huge* Justin Beiber fan. I, and a bunch of my
fellow closet Bieberites hang out on the-bieb-is-cool.onion. (you
don't really think we want everyone to know that we obsess over every
little antic, do you?)

Last week I emailed my friend a link to
Unfortunately, he was just *so* excited to see that the Bieb has new
sneakers that he clicked on the link from his phone (which doesn't
have the ToR interceptor software installed). This, of course, means
that the "DNS like" name, which should not really be used in a DNS
context suddenly hit the DNS.  Only his recursive and the root saw
this, and that's embarrassing enough, thank you.

This is bad enough, but if people built stuff like this under (or, there would now be many more
people in the list who knew our shameful little secret.

Obviously this is a somewhat contrived example (after all, who
wouldn't want to make it widely known that they *love* Justin
Bieber!), but lets instead pretend I'm using an overlay network as a
political dissident, or to discuss my sexual orientation, or...

This is some of the justification behind the .ALT TLD proposal
( -- create
a special label to be used to denote that this is not actually a name
in the DNS context. By reserving it as a special use name:
A: It creates a "safe" namespace, secure from collision for people to
root namespaces that have no meaning in a DNS context.
B: when one of these names *does* leak (as they will), iterative
resolvers will be authoritative, with an empty zone, so
the-bieb-is-cool.onion.alt only gets seen by the iterative and goes no
C: When one does go further (as they will), the root can delegate to
AS112, while can squash it.
D: 4 years from now, when someone comes along and says "I created a
shiny new directory system. I used something that looks like DNS
names, and I placed it under .pony. Please reserve that for me" the
IESG can at least say "But we told you not to do that..." They can
also a: reserve it, b: not, or c: we can have another thread about
this all again, but now at least we can nod knowingly and feel all

P.S: Note: I did *not* say what should happen with the current
pseudo-TLDs / colliding names. They can move under .ALT or they can
not. The IESG can reserve them, or not, or bury them in peat, or paint
them purple and dress them in wellies. I have views on what I think
makes sense, but that's a separate mail.....

> Joe
> _______________________________________________
> DNSOP mailing list