Re: [DNSOP] Future of "Using DNAME in the DNS root zone for sinking of special-use TLDs" ?

Warren Kumari <> Tue, 18 October 2016 20:54 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1DCD112987F for <>; Tue, 18 Oct 2016 13:54:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id qkTpU1o2SIMF for <>; Tue, 18 Oct 2016 13:54:03 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:400d:c09::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 4B36712985C for <>; Tue, 18 Oct 2016 13:54:03 -0700 (PDT)
Received: by with SMTP id f128so7867519qkb.1 for <>; Tue, 18 Oct 2016 13:54:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=ibIFAFUi7gLZD+NRbQfIFgSsmk8EkDU0OTGcbDWPgGU=; b=UXUYOyjgzCkJOUEPEPgMDN+zJjrME2kBonJB2G22lX+CJr+a5wBgMAK35F3SrrPZPk zAN7pn+k2h5nkytDVa4M5EUv2H6piReEN3+rHED/HkUegub/PwYYj2E7Jqg2DeSsEQJi intQX5LEPZJm9FzEHluBW7z8fA746dlIf1LvvsKvNArmNyGGzAUbPOeXuIT7Xw+ZwZX7 4R1TLye36QiA71+s9ufxKhufIbxx0B9OLuFuzzpOuyHDM1bzVig19/tzgu0jiTYV9UZz moTA6xJyEx/oi7vyUlweHu1ZIH3axcar7gMvCUWZEiN04i5fG37H2SgV1vYkNkqCeMpX YbLw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=ibIFAFUi7gLZD+NRbQfIFgSsmk8EkDU0OTGcbDWPgGU=; b=cpxvMwTWWzFUlGqJAMUQ8QiuJ9tYkvxIZtsKyKXpsPzeH9UaQXz1YZOC+5p+52piX9 tlSZ+18mOMDPqwgxL21SL3csEqvVp3COIEbKUZFt7yJBci9VWFEstgyO2uk9fBykuTzu OzgX06v+FIgXOVVOi2TptN2ochI6UfqICjsmKI2UQkTKXvrRfH6AMdcXzl/HxVLX3FAr +++tQqiUdg3OA2v1d62Se7p24oRbdGI4mcZR50Bog41EgXSQcv3RLpNyWtS3gqOmYLVC 3Kzhc29QM3PVKdd8r3u3MfSygbRB3wpNxsipPaJD5hBqoOSjGoTmVsJc/ZelpfBe8V0s MDWw==
X-Gm-Message-State: AA6/9RnFqhDBpk5YBIKVPl/gY+FyiYuv8oDGUoCtbEeZJQgw8PirpgvQF+dP05JncQ8/0c2/dpcs/mhm8/HUQEwo
X-Received: by with SMTP id c139mr2475871qkg.29.1476824042357; Tue, 18 Oct 2016 13:54:02 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Tue, 18 Oct 2016 13:53:31 -0700 (PDT)
In-Reply-To: <>
References: <> <>
From: Warren Kumari <>
Date: Tue, 18 Oct 2016 16:53:31 -0400
Message-ID: <>
To: Paul Wouters <>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <>
Cc: dnsop <>, "" <>
Subject: Re: [DNSOP] Future of "Using DNAME in the DNS root zone for sinking of special-use TLDs" ?
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 18 Oct 2016 20:54:05 -0000

On Fri, Oct 14, 2016 at 10:04 AM, Paul Wouters <> wrote:
> On Fri, 14 Oct 2016, Stephane Bortzmeyer wrote:
>> draft-bortzmeyer-dname-root
>> <>,
>> which proposes to "sink" special-use TLD (may be you've heard of RFC
>> 6761 "special use domain names"?) using AS 112, will expire soon. From
>> the discussions, the two biggest issues were the "governance"
>> difficulties (adding DNAME records in the root...) and the privacy
>> issues (sending .local requests to random AS 112 operators).
>> It seems there is not enough interest for this work, so I was thinking
>> of just documenting the current state of the discussion, in case other
>> people rediscover the problem. May be an individual RFC?
> This is tricky. We want DNS resolvers to not send these onto the
> internet. But by adding delegations in the root to AS112, aren't
> we making it more likely that the queries leak further onto the net?

So, back in ~Feb 2014 we had very similar discussion about ALT-TLD,
AS112 delegations and DNAME.

Initially the ALT-TLD document
( had .alt
being delegated to "new style" AS112 nameservers, but Joe Abley
pointed out that this would be a lame delegation.
We also discussed using DNAME, but the general view seemed to be that
getting this deployed in the root would be an uphill battle; much of
this discussion was happening during the new gTLDs process , "the
variants problem", bundling, etc.
There is also a big difference between "reserving" something and
actually getting it delegated, even for a "null" answer.

The consensus seemed the be that adding things like .alt to the
RFC6303 ( "Locally Served DNS Zones") registry was sufficient. I think
that the consensus was correct -- RFC6303 zones come baked into most
authoritative resolver packages, and the time to upgrade the majority
of "served users" isn't that long (especially if you get this into the
registry shortly before a large CVE :-P). Anything which isn't caught
by Locally Served Zones simply flows upwards till it hits the root --
which is already handling this garbage anyway...

So, back to Stephane's original question  -- I think that documenting
the current state is useful, or we will have this discussion all over
again in a few months....

Below is the .ALT IANA considerations, and extracts of the 6761 "questions":

4.  IANA Considerations

   The IANA is requested to add the ALT string to the "Special-Use
   Domain Name" registry ([RFC6761], and reference this document.  In
   addition, the "Locally Served DNS Zones" ([RFC6303]) registry should
   be updated to reference this document.

4.1.  Domain Name Reservation Considerations

   This section is to satisfy the requirement in Section 5 of RFC6761.

4.  Caching DNS servers SHOULD recognize these names as special and
       SHOULD NOT, by default, attempt to look up NS records for them,
       or otherwise query authoritative DNS servers in an attempt to
       resolve these names.  Instead, caching DNS servers SHOULD
       generate immediate negative responses for all such queries.

   5.  Authoritative DNS servers SHOULD recognize these names as special
       and SHOULD, by default, generate immediate negative responses for
       all such queries, unless explicitly configured by the
       administrator to give positive answers for private-address
       reverse-mapping names.

   6.  DNS server operators SHOULD be aware that queries for names
       ending in .alt are not DNS names, and were leaked into the DNS
       context (for example, by a missing browser plugin).  This
       information may be useful for support or debugging purposes.

> Paul
> _______________________________________________
> DNSOP mailing list

I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.