Re: [DNSOP] ALT-TLD and (insecure) delgations.

Andrew Sullivan <> Fri, 10 February 2017 17:08 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C09AC129A57 for <>; Fri, 10 Feb 2017 09:08:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key) header.b=OThijt1X; dkim=pass (1024-bit key) header.b=WsZj7aij
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 1m7QuA7_1RY8 for <>; Fri, 10 Feb 2017 09:08:02 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 8791D129A50 for <>; Fri, 10 Feb 2017 09:08:02 -0800 (PST)
Received: from localhost (localhost []) by (Postfix) with ESMTP id E0777BD554 for <>; Fri, 10 Feb 2017 17:08:01 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=default; t=1486746481; bh=iDtM8goTzH5zVo+hSW/S8uEg3ukn7FZjQYYbG9JE6cA=; h=Date:From:To:Subject:References:In-Reply-To:From; b=OThijt1X2eQHFRWnNlMMjGxm/UjPhCbLzuFaVtiPYYcDG9rSfm38TUbEg7kKw6tG3 2gzjMiBM/T8k+ipcJo4Fert4T62Vs7vkVUuMBtanL+Yl+iTp4xRxzqSRInetDD9RyD CxGuoGy9obizcf+rPvFI8rGIRjmQdZOxnGYrb/O0=
X-Virus-Scanned: Debian amavisd-new at
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id yxg2lHfF4kP7 for <>; Fri, 10 Feb 2017 17:08:00 +0000 (UTC)
Date: Fri, 10 Feb 2017 12:07:58 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=default; t=1486746480; bh=iDtM8goTzH5zVo+hSW/S8uEg3ukn7FZjQYYbG9JE6cA=; h=Date:From:To:Subject:References:In-Reply-To:From; b=WsZj7aijKbZBmuodw476mP3COuQoYbwzTVPO+uc/e0CL3Izmq2vc0v6Rd+xlRNsNN 5dXRSjcthU0sY9xQnbw/zv6tqAzPVraP9aQWRV6w5zbwaSGqbGmGqqmg5I2U0sIHd/ 0amih7zt3cjZ3HbGTLA76YEBJG1sNXQYWfPMZ6bQ=
From: Andrew Sullivan <>
Message-ID: <>
References: <> <> <> <> <> <> <> <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <>
Archived-At: <>
Subject: Re: [DNSOP] ALT-TLD and (insecure) delgations.
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 10 Feb 2017 17:08:04 -0000

On Wed, Feb 08, 2017 at 12:36:23PM -0800, Brian Dickson wrote:

> So, while technically the instruction (SHOULD NOT) applies to full .onion
> names,
> it is a SHOULD NOT, not a MUST NOT.

Note also that the original request was that it be a MUST NOT, and
some of us tried to explain that RFCs do not actually determine what
people may do and it's the Internet, and so you couldn't make a
requirement in one RFC that would be guaranteed to be implemented by
those who don't implement that RFC.  Which means that the restricton
is a stupid one.  The result was a compromise in which it says "SHOULD
NOT".  In this case, the pretty good reason not to implement the
restriction is that the Internet doesn't work the way the people who
wanted onion to work thought it did.

Any name under alt -- which is, rememeber, _supposed_ to be the
protocol switch in the way Warren and I originally were thinking --
should never get looked up in the global DNS.  If it does, that's
because someone is trying to use a name that contains right in itself
an indication that it needs an alternative resolution context, and not
having that resolution context available.  It might be that such a
computer will erroneously fall back on the global DNS.  That's not a
reason for us to do contortions in the specification.

Best regards,


Andrew Sullivan