Re: [DNSOP] ALT-TLD and (insecure) delgations.

Warren Kumari <> Sun, 05 February 2017 15:16 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 05BDD129485 for <>; Sun, 5 Feb 2017 07:16:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 3dr-j9z75Q4E for <>; Sun, 5 Feb 2017 07:16:52 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:400d:c0d::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 17576128BA2 for <>; Sun, 5 Feb 2017 07:16:52 -0800 (PST)
Received: by with SMTP id w20so81278006qtb.1 for <>; Sun, 05 Feb 2017 07:16:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=SnwFTqgN5y4ab2hAivZhRTJroB4ps9Wh3JIlQwkx6b8=; b=jUZKDBM7gAsI3lJz36SxGtYwjDM4my83AQJX2+yenQfFwNLK5y92PUVz4DLkt+WnRr 3ew8ZMHWagpLISvBGyC8N8Hn8FxsAEtghr7Cndc66qYvEazuYVpkrH+ORIH4lA1mGPcw rwvV1UWpizqohqrXq4LYwla47hkb8mbMXG8/HfpdJlZAUoK7hJ5Jishi3D2zJ11a7oeD nLBzqowF17/LEWh58xI8ttM33tp11E//D20MJ5dhUtADha0o8RTLQY20kXd8JB5NoVAN I/VWkFw23lZW8VgKjbKEV+F9aWUKeeP3V7I2VrcylR3ZvkCPjEHr41oRG2MxtwM3hj3w GfHg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=SnwFTqgN5y4ab2hAivZhRTJroB4ps9Wh3JIlQwkx6b8=; b=QG1F3yZv4b8UGJCj4QJ0Hu4pkfM2+vMtPhInXkL9saI8B2OPknaLnLifkX4beSc+hi XiEr7K8P3u+6c6MlySN6pvrm6pemkWDoOO60hI/aweBhredapy1sOn7K10PDObTsrH/j MYDba+O1CZJZWkjE2TfBczhO07QAa5L5Y1fNxs+9SjGB3xzbnDOSAag15FXny8RORqv4 fh11/utqbcbbgvKEUj83Cc3Eb9Mouy70eb4RIblJCg9fTEZHY9yWbRxHxc7fxAXHGxEW D6wSLUN8aoSvTbocs0AsCjMbLBBQbjZYIZvUGLbM1jWRCdEDBo1wDjwd5y+WZzngj5W4 PEAw==
X-Gm-Message-State: AMke39lkIrMzKUgDpQkk5/eFDDYp9QKhZu5nG2FmIgM7z6+8369ZdRkT3LkxE5EZLrdso+3Vdry+5b1clgE7vXzi
X-Received: by with SMTP id b52mr6426605qtc.124.1486307811055; Sun, 05 Feb 2017 07:16:51 -0800 (PST)
MIME-Version: 1.0
Received: by with HTTP; Sun, 5 Feb 2017 07:16:20 -0800 (PST)
In-Reply-To: <>
References: <> <> <> <> <> <> <>
From: Warren Kumari <>
Date: Sun, 05 Feb 2017 10:16:20 -0500
Message-ID: <>
To: Ted Lemon <>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <>
Cc: dnsop <>, Andrew Sullivan <>
Subject: Re: [DNSOP] ALT-TLD and (insecure) delgations.
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 05 Feb 2017 15:16:54 -0000

On Fri, Feb 3, 2017 at 9:40 PM, Ted Lemon <> wrote:
> On Feb 3, 2017, at 9:10 PM, Andrew Sullivan <> wrote:
> My memory is that only after that
> did we start thinking of a sort of 1918-style part of the DNS as
> well.  That may have been a mistake, since as this discussion is
> showing the properties of an in-protocol, in-DNS namespace without
> delegations are somewhat different to alternative-protocol uses that
> do not rely on the DNS at all.
> I think that we've seen a number of questions go by that lead to the
> conclusion that it makes sense to have two hierarchies: one for experimental
> non-DNS queries, and one for locally served zones.


>  I don't know if we
> _need_ the .LSZ (or whatever) SUTLDN, but if we need to be able to have a
> special-use top-level domain name that has an un-signed delegation, it
> probably ought to be different than the SUTLDN that is used for non-DNS
> stuff, so that both names can have the appropriate configuration in the root
> zone.

.alt was intended only for names *outside* the DNS - an alternate name
resolution system (like .onion). It was never intended for use in an
alternate/internal DNS namespace. If needed, we can clarify this in
the draft.

I fully understand the desire for names which are resolved using the
DNS, but are not rooted in / connected to the DNS root -- I think that
something like this would be really useful (I've got a bunch of
use-cases), but it seems like a completely different kettle of fish.

I'd encourage someone to write a document like this -- I started
writing a such document[0] in July 2015 to reserve a name (.internal)
specifically for this, but only got as far as the title and abstract
before getting sidetracked. :-P

So, in my opinion there should not be any sort of delegation for .alt.
A new (short) draft reserving .internal (or whatever) specifically for
DNS names not rooted in / connected to the IANA tree could be written,
and that can ask for a delegation.


    <title abbrev="template">Reservation of .internal as a Special Use
      <t>This document reserves the string "internal" for use as an internal
      DNS </t>

      <t>[ Ed note: Text inside square brackets ([]) is additional background
      information, answers to freqently asked questions, general musings, etc.
      They will be removed before publication.]</t>

      <t>[ This document is being collaborated on in Github at: The most recent version of the document,
      open issues, etc should all be available here. The authors (gratefully)
      acept pull requests ]</t>

> _______________________________________________
> DNSOP mailing list

I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.