Re: [DNSOP] Special-use TLDs in resolvers

Steve Crocker <> Fri, 16 August 2019 14:59 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 477D512008D for <>; Fri, 16 Aug 2019 07:59:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id LbL59NMLEtNd for <>; Fri, 16 Aug 2019 07:59:41 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::c2d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 6F244120047 for <>; Fri, 16 Aug 2019 07:59:41 -0700 (PDT)
Received: by with SMTP id n126so1886257ywf.1 for <>; Fri, 16 Aug 2019 07:59:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=p30jXNbTy/SNYs3LM+5eic741Brm58aISli4Gjnd/ko=; b=NNInbRCfcPIrssnUljQThCIAl4TnFm5h8oCLAbwN3/To1S3Itwah2Azy24Q1/O7QUQ HTZvm1PKrejAZqTn7Om2HbRdQhzCihU+eVvMbLM8LeIM2ZBzYmr0BwcKmO6+24G1o2hk ZjuOfOwmgYEUyjhUlcwc34ypntvQSsHnai0k/BwNRh73BXRWQnTkBWZN20OpuBwqhKGs Au/MvRMlOW3h6TTRvpnTl9Dd1f4/gcjcAMPpoCSD9L4pgRmclYHguQhFPnriWBlQlWla KTTPVQCQ85vRwVQeEm6Xq83RLdIm75Dch9hyPuaWXvMSUUoXorJpaaZCIl6wSBN0pT08 6r9w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=p30jXNbTy/SNYs3LM+5eic741Brm58aISli4Gjnd/ko=; b=JXICmgDaovNccinB3iw2GPTdayEwbboUpPGXyy25s85WrQHRpiogPABBZjqEmXMNvp tI1OgYj7cnKFd0RkA+W4LfwijYspwZgAh1dubNnYh1bPt2gtOZdLNmhQoZv1+J2pUG17 a0/97tgPy4jFnAE2I0FBkmQUyQjjqaAVaMRnlSvru6z0aM+hMUiqE4u9Hi+6ePaM2Ey1 QWX02mkinQ6DXMnk2yBccFfJBRKju/BOn7s0nndHsVqNm3HTQjns6ZAb3hKHzvLZ7DPM 6WEZ2lc0YwXlqb2pGQQ+B4dKxNfR8R5Yi4WX75aysg+s5JAbtO5kEt5d16wcPIX93YyU C/Gw==
X-Gm-Message-State: APjAAAXXIbeo502q4Dj3REgeqdz2jNLNMo11vyUxU/KZR1A+FnSvJt32 vmz+21lfBvCLiKFNtX1T70QNN+n1qbAVQaW+dX3n1g==
X-Google-Smtp-Source: APXvYqxpJFfrCvHnfmJRVAdJAp5fRkGXrBqIk3d5ERKPdWCXLxdS0OkLsEOJWQ7guc/YpdsMVzaXgNP4EKZQ2/ee7qw=
X-Received: by 2002:a0d:eb57:: with SMTP id u84mr6837121ywe.11.1565967580459; Fri, 16 Aug 2019 07:59:40 -0700 (PDT)
MIME-Version: 1.0
References: <> <>
In-Reply-To: <>
From: Steve Crocker <>
Date: Fri, 16 Aug 2019 10:59:29 -0400
Message-ID: <>
To: Andrew Sullivan <>
Cc: dnsop <>
Content-Type: multipart/alternative; boundary="0000000000005d0f9505903d3d9e"
Archived-At: <>
Subject: Re: [DNSOP] Special-use TLDs in resolvers
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 16 Aug 2019 14:59:44 -0000

At the risk of revealing that I haven't been following this thread
carefully, I don't understand how a resolver is supposed to know all of the
special names.  Resolvers that are configured to know that invalid,
local, onion,
and test are special will not know about the next name that's put on the
special list.

I guess the larger picture is that onion is a protocol switch, so it's not
sufficient for a resolver to know that it shouldn't look up strings ending
in onion in the global DNS; it must also know what it should do.


On Fri, Aug 16, 2019 at 10:47 AM Andrew Sullivan <>

> As I often note, I work for ISOC but I'm not speaking for it.
> On Fri, Aug 16, 2019 at 11:30:06AM +0200, Vladimír Čunát wrote:
> > I've been wondering what's best to do around these TLDs: invalid, local,
> > onion, test.  The RFCs say that resolvers SHOULD recognize them as
> > special and answer NXDOMAIN without any interaction with nameservers (by
> > default).  What do you think about NOT following this "advice", subject
> > to some conditions that I explain below?
> I think it's less than ideal, because the point of resolvers immediately
> answering NXDOMAIN is that these are not and never will be names in
> the global DNS.  That is, they really are special-use, and part of
> that specialness is that they're part of the domain name space but not
> part of the global DNS name space.
> This is particularly true of onion, which is a protocol switch.  It's
> intended to signal that you should _never_ look up that name in the
> DNS.  That's its whole function.
> Best regards,
> A
> --
> Andrew Sullivan
> _______________________________________________
> DNSOP mailing list