Re: [DNSOP] Special-use TLDs in resolvers

Andrew Sullivan <ajs@anvilwalrusden.com> Fri, 16 August 2019 14:46 UTC

Return-Path: <ajs@anvilwalrusden.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 772DA1201DE for <dnsop@ietfa.amsl.com>; Fri, 16 Aug 2019 07:46:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=yitter.info header.b=mlmOFkEd; dkim=pass (1024-bit key) header.d=yitter.info header.b=dTl9LO5q
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zDUzvRyZjjDb for <dnsop@ietfa.amsl.com>; Fri, 16 Aug 2019 07:46:58 -0700 (PDT)
Received: from mx4.yitter.info (mx4.yitter.info [159.203.56.111]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 024D2120047 for <dnsop@ietf.org>; Fri, 16 Aug 2019 07:46:58 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mx4.yitter.info (Postfix) with ESMTP id 5EF10BB84B for <dnsop@ietf.org>; Fri, 16 Aug 2019 14:46:57 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yitter.info; s=default; t=1565966817; bh=+HbWa1J9pDDfiWEWOKAHdTNr/kis4aIQZdOhqmn4zkg=; h=Date:From:To:Subject:References:In-Reply-To:From; b=mlmOFkEddNmYsJya1H4+K7K/qu9pG752VZdPUhKwgdYwJqMGCkPxCG5tcoUtn5V8F +Ftcu/W0RNM1cEXl2g99CZ1Aty/D5d84VELADrymwkhLKFvDCmBLVvZUjF4j5JPhnR qMfUvDrlpfNW0AoLGEomi6x1OrkzsJRO9AN5wlUI=
X-Virus-Scanned: Debian amavisd-new at crankycanuck.ca
Received: from mx4.yitter.info ([127.0.0.1]) by localhost (mx4.yitter.info [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gRrTnlwyLj6Q for <dnsop@ietf.org>; Fri, 16 Aug 2019 14:46:56 +0000 (UTC)
Date: Fri, 16 Aug 2019 10:46:55 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yitter.info; s=default; t=1565966816; bh=+HbWa1J9pDDfiWEWOKAHdTNr/kis4aIQZdOhqmn4zkg=; h=Date:From:To:Subject:References:In-Reply-To:From; b=dTl9LO5qKa6bqmB8A4N6nqZnnRQfsRk8H6zt9ihc5JgeCPIyapj++C0DtR38eiveg HW1wfwbvXeu4+8H0hFULw+s/hJtsXxhoG/TCEzZgUKpIZZonhbLDg0dLDDH1dogtEa PPfsE5uIzP1loifIUlEybLXZeu+XA5RPsE6aO2jM=
From: Andrew Sullivan <ajs@anvilwalrusden.com>
To: dnsop@ietf.org
Message-ID: <20190816144655.jxd37dwn2t4ywuko@mx4.yitter.info>
References: <a6f528a1-01d0-3bd5-1a7f-96ff4e9bcd85@nic.cz>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <a6f528a1-01d0-3bd5-1a7f-96ff4e9bcd85@nic.cz>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/v1piSWItIE-xOyMA8NuMZW9olb0>
Subject: Re: [DNSOP] Special-use TLDs in resolvers
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Aug 2019 14:47:00 -0000

As I often note, I work for ISOC but I'm not speaking for it.

On Fri, Aug 16, 2019 at 11:30:06AM +0200, Vladimír Čunát wrote:

> I've been wondering what's best to do around these TLDs: invalid, local,
> onion, test.  The RFCs say that resolvers SHOULD recognize them as
> special and answer NXDOMAIN without any interaction with nameservers (by
> default).  What do you think about NOT following this "advice", subject
> to some conditions that I explain below?

I think it's less than ideal, because the point of resolvers immediately
answering NXDOMAIN is that these are not and never will be names in
the global DNS.  That is, they really are special-use, and part of
that specialness is that they're part of the domain name space but not
part of the global DNS name space.

This is particularly true of onion, which is a protocol switch.  It's
intended to signal that you should _never_ look up that name in the
DNS.  That's its whole function.

Best regards,

A

-- 
Andrew Sullivan
ajs@anvilwalrusden.com