Re: [DNSOP] Special-use TLDs in resolvers

Ted Lemon <> Fri, 16 August 2019 13:10 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 94F8A1200A1 for <>; Fri, 16 Aug 2019 06:10:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 7nsukcwaTaMY for <>; Fri, 16 Aug 2019 06:10:04 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::82e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 4845E120089 for <>; Fri, 16 Aug 2019 06:10:04 -0700 (PDT)
Received: by with SMTP id e8so5988329qtp.7 for <>; Fri, 16 Aug 2019 06:10:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=KTx71ybQus46VQW3p0KQvXHpXo5cbKJI7/oXqgZvkws=; b=nuMQQeditGKxe+b0h3f605t/+Jt1W3HNyT9jJ9XdiDN+RnwDvrw/hZ36o4Q3CT9moI b0CrM785JKaO2Cn9daI+CeCcjlmhWxm5L5N+mKEAIGBVWmZqUZjXF3O5a6VjphqC9Yr8 XLuQVBq0ePVnSca0v4H+iJc+4F8wDs9XTy7tGeI6DSiTSxCiFYj3Dk2lmjTD98JHd6cl py/tPpT8SVtPlUABrAEu73/cZiYOdeDH+tIRfrUk1J0qhtaQp7P/YS5JmPtbVZ2cPKDu 8w4GkyW34rGWNAMQ7ORv9InLDH8qggzRN20ASKHfe2tpGktNP7AyIino0iUOzxdiGH6c 7Dyg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=KTx71ybQus46VQW3p0KQvXHpXo5cbKJI7/oXqgZvkws=; b=brwwtF5yY6ppCAYfgxoqnEenWqZBMzE8rQZ/s4gIv0B+kTlJflphvQ/Pi+VK2ihYYu 1zG2vLdIZyfF5iNffZguxr7ilLsnLzUWdUSIZcN/AS7WaGvpeexNGc/2QppeekWQAjz/ QKioo7UfY/3tQwSFiCZtUqlM1RulnzvMqMF0RnVmkmlcCTbql/3y/O1WgKqb4AKkeyeh q8nNPoS07T0vZyH78XiHBe4Mrahw87Rsx0Ix/4EBR3sRj9b/BRyDa4LyT2s4pX29Vw0Y ckkJ+8HCqYcw/sJXE8lP6G04sMMAzzoIrWZ0kNlsmkwhnfv8S8iYJCIFT0VEXjGBB+tG a9lw==
X-Gm-Message-State: APjAAAUJcZIwzQ5Jhvv6XWGLf3dyibCfLzr/J6YyISFAt7Gh9eXTNi/e nmzOVWv82H3s5voXBlQXAPtWbGppLmkw5A==
X-Google-Smtp-Source: APXvYqyDdqod0C4rSE8W7ucIadrzUw4pQE14ArSOZbSPxkNkIG6mHb+jLu4q9wyZclzsv91BNig0yg==
X-Received: by 2002:ac8:5554:: with SMTP id o20mr5813884qtr.236.1565961003242; Fri, 16 Aug 2019 06:10:03 -0700 (PDT)
Received: from [] ( []) by with ESMTPSA id x205sm2976144qka.56.2019. (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 16 Aug 2019 06:10:02 -0700 (PDT)
Content-Type: multipart/alternative; boundary=Apple-Mail-ACAC91F3-69FA-4926-B68B-B9C2B9D1875D
Content-Transfer-Encoding: 7bit
From: Ted Lemon <>
Mime-Version: 1.0 (1.0)
Date: Fri, 16 Aug 2019 09:10:02 -0400
Message-Id: <>
References: <>
In-Reply-To: <>
To: =?utf-8?Q?Vladim=C3=ADr_=C4=8Cun=C3=A1t?= <>
X-Mailer: iPhone Mail (17A568)
Archived-At: <>
Subject: Re: [DNSOP] Special-use TLDs in resolvers
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 16 Aug 2019 13:10:07 -0000

If you look up “onion”, you have revealed that the user is trying to use tOR, even if you haven’t revealed where they are going. 

What’s the motivation behind this proposal?

Sent from my iPhone

> On Aug 16, 2019, at 05:30, Vladimír Čunát <> wrote:
> Hello,
> I've been wondering what's best to do around these TLDs: invalid, local, onion, test.  The RFCs say that resolvers SHOULD recognize them as special and answer NXDOMAIN without any interaction with nameservers (by default).  What do you think about NOT following this "advice", subject to some conditions that I explain below?
> 1. QNAME minimization (in the root at least), so that if e.g. query arrives and the cache is empty, the resolver only asks the root for test. and the rest does not leak.
> 2. RFC 8020 -style caching (in the root at least), so that we keep the goal of reducing load on root servers.  Note that this is subsumed by aggressive caching (RFC 8198), which should work for the root zone in some commonly used resolvers for about a year already (I believe: Unbound, BIND, Knot Resolver).
> This pair of conditions seem quite reasonable defaults regardless of special TLDs, in which case I'd argue it's better not to special-case these four TLDs.  One advantage is that this allows supplying the denials with DNSSEC proofs, which e.g. avoids problems in case the client is missing some of these special cases and wants to validate.  Well, that's arguably a relatively unlikely combination, but my motivation is mainly that it feels nicer to remove them :-)
> Reference RFCs for these TLDs, respectively: 6761.6.4.4, 6762.22.1.4, 6762.2.4, 6761.6.2.4
> --Vladimir
> _______________________________________________
> DNSOP mailing list