Re: [DNSOP] back to: Some distinctions and a request

Hugo Maxwell Connery <> Thu, 02 July 2015 10:03 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 6C0CE1B315E for <>; Thu, 2 Jul 2015 03:03:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.901
X-Spam-Status: No, score=-0.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DK=1.009, RCVD_IN_DNSWL_NONE=-0.0001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Cr0AATJ2xxWu for <>; Thu, 2 Jul 2015 03:03:40 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E240C1B315C for <>; Thu, 2 Jul 2015 03:03:39 -0700 (PDT)
Received: from ( []) by with ESMTP id t62A34ii019369-t62A34j5019369 (version=TLSv1.0 cipher=AES128-SHA bits=128 verify=CAFAIL); Thu, 2 Jul 2015 12:03:35 +0200
Received: from ( by ( with Microsoft SMTP Server (TLS) id; Thu, 2 Jul 2015 12:03:05 +0200
Received: from ([]) by ([]) with mapi id 14.03.0235.001; Thu, 2 Jul 2015 12:03:00 +0200
From: Hugo Maxwell Connery <>
To: Andrew Sullivan <>, "" <>
Thread-Topic: [DNSOP] back to: Some distinctions and a request
Thread-Index: AQHQtK33drk+QB922UaqZ1na3WF2vw==
Date: Thu, 2 Jul 2015 10:02:59 +0000
Message-ID: <>
Accept-Language: en-AU, da-DK, en-US
Content-Language: en-AU
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [DNSOP] back to: Some distinctions and a request
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 02 Jul 2015 10:03:42 -0000


I think that Andrew's effort to distinguish between a domain name and
a DNS name is useful.  It gives us some clear terminology to use to
discuss domain names that wish to use a non-DNS name resolution

RFC6761 introduces a mechanism for the handling of these types of cases.  
In the recent cases of .onion, .gnu, .zkey etc. we have software using domain
names but wishing to use a non-DNS name resolution mechanism.

This is a "hand in glove" use of RFC6761.  For persons wishing not to
allow the use of RFC6761 for these names, it would seem that you have
two options:

1. Invalidate RFC6761 indicating it was a mistake.  This is not a disaster,
mistakes are made and sometimes need to be rectified.

2. Form a different community for the assessment of these issues, and 
decide not to participate in that process.  Thus, "you" are not allowing the

Option 2 may not be such a silly idea.  Some members of the community
made it clear that they do not wish for DNSOP to be a clearing house for

I assume that .gnu, .zkey, .bit communities would have the patience to
wait for the formation of an alternative processing mechanism, but there
is time pressure on .onion due to the upcoming work with certificates.

Thus, it would seem that a decision is required from this community for
the .onion case.

Needless to say, I support all of these cases where software is using
the domain name syntax but using a non-DNS name resolution mechanism.

I provide that support because they are addressing the issue of privacy
which the greater IETF community embraced with RFC7258.

The DPRIVE WG are working on privacy enhancements *within* the
DNS system.  It is a difficult problem, though many useful contributions
are emerging.  The above non-DNS using softwares approach the
same issue in a different manner: dont use DNS at all.  The advantage
of this approach is that all of the challenges that DPRIVE are wrestling
with are not encountered at all.  The only requirement is the registration
via RFC6761.

Hugo Connery
'If privacy is outlawed, only outlaws will have privacy.' P Zimmerman.
From: DNSOP [] on behalf of Andrew Sullivan []
Sent: Thursday, 2 July 2015 03:42
Subject: Re: [DNSOP] More after onion? was Re: Some distinctions and a  request

Hi Ed,

On Wed, Jul 01, 2015 at 12:26:43PM +0000, Edward Lewis wrote:
> I'm sympathetic to the use the path of least resistance - e.g., use names
> that syntactically are DNS names

I note that the Subject: line of your note still contains a vestigial
reference to the thread I started recently on this, and your message
nevertheless returns to collapsing "domain names" and "DNS names".

I don't know whether I've simply failed to explain the distinction I'm
trying to make, or whether you reject the premise.  Could you please
be clear about which it is?

To me, the _point_ of onion. is that it is not a DNS name.  You're
right that it has the same syntax -- because it is a domain name, but
not (intended to be) a DNS name.  The registration of the name in the
special use registry would achieve that end.

You might object that this distinction is extremely hard, because
there's nothing about the label itself to signal this namespace shift,
and unaware clients will therefore automatically just treat such names
as DNS names, not special-use domain names.

I happen to agree with that, but we cannot hold back this tide: it was
let loose once local. became an in-band protocol switch, without any
registration, in Apple's widely-deployed Bonjour service.  We might
wish that people hadn't abused the namespace to turn it into protocol
switches as well as everything else, but the history of SRV through
Bonjour shows that this technique is popular and unlikely to go away.
Commanding the tide to stay back when you are neck deep in water is
not likely to work.

Therefore, I claim, we need to make some clear distinctions and
understand what has actually happened, and then adjust to the new reality.

Best regards,


Andrew Sullivan

DNSOP mailing list