Re: [DNSOP] Tell me about the ISO 3166 user assigned two-letter codes and TLDs

Viktor Dukhovni <> Thu, 29 September 2016 07:56 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 3515812B018 for <>; Thu, 29 Sep 2016 00:56:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id jK7FK8jPNayw for <>; Thu, 29 Sep 2016 00:56:23 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 21C941288B8 for <>; Thu, 29 Sep 2016 00:56:23 -0700 (PDT)
Received: by (Postfix, from userid 1034) id 364DD284ADC; Thu, 29 Sep 2016 07:56:22 +0000 (UTC)
Date: Thu, 29 Sep 2016 07:56:22 +0000
From: Viktor Dukhovni <>
Message-ID: <>
References: <20160928232720.9513.qmail@ary.lan>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20160928232720.9513.qmail@ary.lan>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <>
Subject: Re: [DNSOP] Tell me about the ISO 3166 user assigned two-letter codes and TLDs
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 29 Sep 2016 07:56:25 -0000

On Wed, Sep 28, 2016 at 11:27:20PM -0000, John Levine wrote:

> The codes AA, QM-QZ, XA-XZ, and ZZ are "user assigned" and will never
> be used for countries.  Last year Ed Lewis wrote an I-D proposing that
> XA-XZ be made private use and the rest future use, but as far as I can
> tell it never went anywhere.
> I've been telling people that if they need a fake private TLD for their local
> network they should use one of those since it is exceedingly unlikely
> ever to collide with a real DNS name.  Am I right?

The the ".invalid" TLD is reserved, and has been used for private
naming of domains that are sure to not be real domains either
internally or on the public Internet.  I use:

  address.invalid - added to bare mailbox names in inbound external email.
  bcc.invalid - rewrite domain for (env recipient data) lossless Bcc copies of email
  discard.invalid - rewrite domain for addresses whose email gets dropped.
  local.invalid - rewrite domain for local delivery when no real domain is "local"

This is of course different from squatting on a TLD for naming
"real" private domains, and I see little justification for the
latter.  Real 2LDs, 3LDs, ... are cheap, and why not use those

And for documentation we of course have ".example", "",