Re: [DNSOP] More complete review of draft-grothoff-iesg-special-use-p2p-names-01

[Joe Abley <jabley@hopcount.ca>]

On 2013-12-31, at 15:06, Christian Grothoff <christian@grothoff.org> wrote:

> And again, a key question for me is, if you really want to _encourage_
> people to _first_ deploy at large scale and _then_ reserve the name.

You can reserve a name for $10/year, no IETF process required. Less if you reserve under an existing domain name.

The key question for me is, why do any of these uses necessarily require reservation of a TLD label, or something that looks like one?

If (to take an example at random) Tor users could make use of names outside of the DNS that look like DNS names under a .ONION TLD, why could they not just as easily make use of names that end in ONION.EFF.ORG?

The general answer to this question (in the DNS world) is that names will appear in television ads and billboard posters, and hence need to be short and memorable. I'm not sure how convincing that answer is (time will tell, I guess) but it seems less convincing for naming schemes that involve easily-typo'd, long hexadecimal strings as interior labels. These are presumably not intended for direct entry by users. Where is the need for a pithy TLD?

If the answer is "well, it wasn't done that way, and there's a huge deployed base" then I would take the time to consider migration strategies away from schemes that seem to involve top-level DNS labels towards schemes that don't. It's inevitable that these names will leak to the DNS, and those leaks will be easier to mitigate the further the names are from the DNS root.

> I expect that this MAY happen, but if the draft is accepted, one
> of our goals is to explicitly authorize DNS operators to prevent
> this.  Right now, a well-configured, 100% RFC-compliant DNS resolver
> MUST pass a request for ".onion" to the root.  With this draft, we
> want to explicitly ALLOW 100% RFC-compliant DNS resolvers to instead
> immediately return NXDOMAIN and thus avoid the security and performance
> implications of leaking such queries to the root.

The IETF is not the resolver police. Resolver operators mitigate weird problems with approaches like this all the time. It's a mistake to imagine that a blessing enshrined in a document published by the IETF will immediately trigger changes in deployed infrastructure, or that deployed infrastructure is being hamstrung by the lack of such a blessing.

Consider, however, the different degrees of chaos that might result from:

(a) instruct all the resolver operators in the world to maintain configuration that special-cases a growing list of DNS names. or

(b) chose your naming scheme (again, think ONION.EFF.ORG) such that the NXDOMAINs, negative caching, sinkholing, whatever can be controlled by someone who cares about Tor (the EFF.ORG administrator) without requiring any special handling elsewhere.

Option (b) is much more friendly to the Internet.


Joe