Re: [DNSOP] new DNS classes

Nico Williams <> Fri, 07 July 2017 16:55 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 032AC131777; Fri, 7 Jul 2017 09:55:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.299
X-Spam-Status: No, score=-4.299 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-2.8, RCVD_IN_SORBS_SPAM=0.5, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id YCt0BkIFOq9D; Fri, 7 Jul 2017 09:55:17 -0700 (PDT)
Received: from ( []) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 7CB73131769; Fri, 7 Jul 2017 09:55:17 -0700 (PDT)
Received: from (localhost []) by (Postfix) with ESMTP id 29843C0028BA; Fri, 7 Jul 2017 09:55:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed;; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to:content-transfer-encoding; s=; bh=Y2mfow/2aEnPdOy54Gra5zwUJN8=; b=cSQB3oqhF8/ 3/OHAYJiwPrJzyV9UQp7sAERg5/sDslJwrVFYSJ854Smdnlob+ebCGAl2ztiwqPk qSkDIVg5b3GgUIfV/ZFFeaDpKNGUypbmA81S4VfQ78dj7JIzQHZ3GCEypQ+Cobua zblOxcYChvLESMReTCISAFB4i1eMVTFw=
Received: from localhost ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: by (Postfix) with ESMTPSA id 5398BC086D0C; Fri, 7 Jul 2017 09:55:16 -0700 (PDT)
Date: Fri, 7 Jul 2017 11:55:14 -0500
From: Nico Williams <>
To: David Cake <>
Cc: Randy Bush <>, dnsop <>, Paul Vixie <>, IETF Rinse Repeat <>
Message-ID: <20170707165513.GG3393@localhost>
References: <> <> <> <> <> <> <> <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.24 (2015-08-30)
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Subject: Re: [DNSOP] new DNS classes
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 07 Jul 2017 16:55:19 -0000

On Fri, Jul 07, 2017 at 03:32:21PM +0200, David Cake wrote:
> > On 5 Jul 2017, at 10:47 am, Randy Bush <> wrote:
> > 
> > i think avoiding icann is a red herring.  if the draft in question had
> > done a decent job of exploring the taxa of needs for name resolution
> > outside of the 'normal' topology, we would have the start of a base on
> > which to discuss this.
> If you have a single centralised root for your new class, you will
> probably either recreate the problems of ICANN, or create one or more
> of the problems that ICANN has very consciously tried to avoid.  If
> you have a system of name resolution that avoids the need for a
> centralised root, you probably don’t need a new class to implement it.
> The few marginal cases that need to interact with the one root but not
> be ICANN controlled are why we have the RFC 6761 process. 
> I agree a taxa of needs that do not fit within those three cases would
> have been useful. 

Well, there's a) the rooted hierarchy of the public DNS (IN class),
b) mDNS (which isn't really DNS, just a local discovery mechanism based
on the DNS protocol), c) the HS class, which traditionally wasn't used
in a federated manner (but maybe I'm wrong about that), so it doesn't
need a rooted hierarchy, though it also could use one.  (b) and (c) are
niches, with no real place on the open, public Internet.

One could use something like HS as an alternative to LDAP, say, but
recall that the vision of a world of federated and open directories
never materialized NOT because of limitations of DAP/LDAP, but because
of confidentiality/ privacy considerations.  Such a class would really
need to use the same rooted hierarchy, and, really, the same root, as
the public DNS IN class -- i.e., an IN RR type namespace extension
class, so it's best to consider such a class in those terms rather than
as a "directory class".

I am having a very difficult time imagining, say, a peer-to-peer or
web-of-trust DNS (other than mDNS).  Perhaps my imagination fails me.

A rooted hierarchy is and has been incredibly useful, and the simplest
method of providing a consisten Internet to all users.  It seems to me
very unlikely that we'll ever move from that.  At most we may have
alternative roots, but a mostly common set of TLDs (e.g., as happens in
many private (corporate) networks).