Re: [DNSOP] Last Call: <draft-ietf-dnsop-onion-tld-00.txt> (The .onion Special-Use Domain Name) to Proposed Standard

[hellekin <hellekin@gnu.org>]

On 07/15/2015 09:42 AM, Edward Lewis wrote:
> 
> The document defines the use of the name by referring to a couple of
> references, none of which appears to be published in a way that can be
> referenced except by URL.
>

I agree that the URL could be use more foresight, e.g.
https://torproject.org/spec/protocol,
https://torproject.org/spec/naming, etc. I already suggested this form
to the Tor people without response. That said, an URL is the right thing
to do, as long as it does not change. Once the URL makes it to an RFC,
it is the responsibility of the domain operators to keep it running.
When the Tor specifications are updated to RFC status, then the .onion
tld RFC can be updated as well to point to the new references.

> 
> Drilling into the criteria that are presented.  Not all of them.
> 
> 1. Users.  The draft states "human users are expected to recognize .on
ion
> names as..."  How are users supposed to recognize them as (special)?  
In
> as much as the document says nothing about evidence of deployment and
> adoption, how can an expectation be developed?  If I hadn't been readi
ng
> the thread on DNSOP, I wouldn't have thought "onion" was special - but
 I
> live in a cave, so what I think isn't important.
>

The original P2PNames draft use:

"Users can use these names as they would other domain names, entering
them anywhere that they would otherwise enter a conventional DNS domain
name.

Since there is no central authority necessary or possible for assigning
.onion names, and those names correspond to cryptographic keys, users
need to be aware that they do not belong to regular DNS, but are still
global in their scope."

> 4. Caching DNS Servers and
> 5. Authoritative DNS Servers
>
*** Well, isn't it the point of this draft that "as software matures
onion names will not be in DNS queries"?  These points are to minimize
the consequences on privacy when misconfigured systems leak queries, and
to minimize the number of bogus requests hitting the DNS tree.

> 6. DNS Operators
>
*** Again, this is not about enforcing, but about establishing best
practice. People can rely on RFC documentation and conscientious
operators will apply what's written there.

> 7. DNS Registrars/Registries
> 
> This is the place where a case should be made for the registering "oni
on"
> as a Special Use Domain Name.  Given the story to date, that "onion" i
s
> not to be in the DNS, then don't change the protocol (5,6 above) but t
hen
> set up barriers to putting it in the DNS (7 here).  If you do that, th
en
> Name Resolution libraries (3 above) will return "name error" or NXDOMA
IN
> to all queries in the onion domain of names.  I see this as where
> registry policy documents can "point" (by reference) to a list of name
s
> that are specially reserved or restricted.

> 
> My concern is that, if this application proceeds as documented,
> the precedent being set could be regrettable.
> 
*** Are you suggesting then that only 7. is kept?

In any case I recommend reading the original proposal for .onion in the
P2PNames draft 04 for an alternate view. Maybe some of the questions
there can be useful here.

https://tools.ietf.org/html/draft-grothoff-iesg-special-use-p2p-names-04
#section-4.3.1

==
hk