Re: [DNSOP] *.DNS metaTLD [ref: additional special names]

Joe Abley <> Sun, 02 March 2014 03:13 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 841DC1A0313 for <>; Sat, 1 Mar 2014 19:13:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id kkNApG9ToHO6 for <>; Sat, 1 Mar 2014 19:13:29 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4001:c05::230]) by (Postfix) with ESMTP id 1242F1A02C6 for <>; Sat, 1 Mar 2014 19:13:28 -0800 (PST)
Received: by with SMTP id uy17so4931309igb.3 for <>; Sat, 01 Mar 2014 19:13:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=p1OZczqh9Te5/27LfbeAAXjR0u1Omnko4kWTTcMxoLE=; b=o2l07EOPdM/U8GFXmA66pgoD54aQ5meInjNh7sOrxgHPwYy/r346kNdO0k6q0yrfbb gLUxQ2XkjHwVfz6v3zEc1UJAMAepSWCXgnDnnvZuIHdtAC1mzGI5rG7UTxjL+lPQDi93 8wCHh74flqO1ensIONRTnii/Eb2WrA1zywzvY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=p1OZczqh9Te5/27LfbeAAXjR0u1Omnko4kWTTcMxoLE=; b=cz71d7AY+tZFL9GO6DSulThs8JafoVtoXmnyH3taWhvGeNaluO0PMnHrXnpXgA5ZhV SpLa+/6HaX1krypT8UckSDUbUTq5BTt8CCR33Tr3zOrflfupdGLF63s3NLqrC3pRvfzv nMmX+U2e3ExFPFZpqhljGpkFA6dAfUJr/vraZbKyCRxA/NfYUzcxPWPcQqo5q/jfTrOs f7STeMzCjQKsUsOPP+YlBK8Xgf/8PfflksfpFgaj2tZNJ3mQLpCQ+PzL+CDg2PB3U9yk 8CqTQ6t4afXF+FUfZuY0x9sE73xd6sb5bIL1HxDALJxj2xKSop4Deb3rd58ecZUrN37Z 9nvw==
X-Gm-Message-State: ALoCoQlugbIQjJLB530B8oVcy9l0lB+QKZAf5IfRe4P2L7Q8XGi7q57ESLnVvla6xHDe3IHOlX2b
X-Received: by with SMTP id jn19mr19772517icc.0.1393730006481; Sat, 01 Mar 2014 19:13:26 -0800 (PST)
Received: from [] ([]) by with ESMTPSA id m4sm24370065ige.0.2014. for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sat, 01 Mar 2014 19:13:25 -0800 (PST)
Content-Type: multipart/signed; boundary="Apple-Mail=_993D711D-C79E-4488-87CD-C05E57510194"; protocol="application/pgp-signature"; micalg=pgp-sha1
Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\))
From: Joe Abley <>
In-Reply-To: <>
Date: Sat, 1 Mar 2014 22:13:23 -0500
Message-Id: <>
References: <>
To: okTurtles <>
X-Mailer: Apple Mail (2.1874)
Subject: Re: [DNSOP] *.DNS metaTLD [ref: additional special names]
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 02 Mar 2014 03:13:31 -0000

Hi Greg,

On 1 Mar 2014, at 19:45, okTurtles <> wrote:

>> ask them if they would be willing to accept a dns.alt or something like that.
> *.dns is a metaTLD, whereas I don't believe *.alt has been designated as such?

You're right, ALT (the TLD) doesn't exist today, might one day exist, and is not special in any way right now, although a draft proposal exists to make it special and avoid its future delegation from the root zone.

If we suppose that it's possible, due to software defects or user error, that DNS queries will one day be sent to the Internet for names ending in .DNS, how about choosing a parent domain that you control, and whose traffic can be managed separately, instead?

Leaked traffic for names ending in .DNS is going to hit the root servers today. If a new gTLD called "DNS" exists in the future, you'll hit their servers (and there will be confusion between which name was intended, and potentially leakage of query data between the two namespaces). If you use a name ending in .ALT, and the ALT proposal is adopted, your traffic is back hitting the root servers again, but at least you're not colliding with other names.

If you use your own domain that you have registered and control, you can direct any leaking traffic wherever you want. You can sink it in AS112+ servers (assuming this wg likes that proposal) using an apex DNAME. You have options.

I think considering the possibility that queries will leak towards the DNS is important when you start to develop a new, non-DNS namespace (so, it's great that you're here). Not thinking about it has the potential to leak users information in unexpected directions, and cause operational mayhem with other peoples' nameservers.

It's hard to see a better option than today than anchoring your new namespace to a domain that you register and pay for in the DNS. Your options in that regard include TLDs if your namespace is sufficiently sensitive to label length that you're prepared to pay the $500k+ for the process to register it; to my mind, your local TLD registrar can probably give you a better deal.