Re: [DNSOP] Some thoughts on special-use names, from an application standpoint

"John Levine" <> Mon, 30 November 2015 20:01 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 8AFB51B2FF6 for <>; Mon, 30 Nov 2015 12:01:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.862
X-Spam-Status: No, score=0.862 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, HELO_MISMATCH_COM=0.553, HOST_MISMATCH_NET=0.311, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 0HONs2PNQ3r9 for <>; Mon, 30 Nov 2015 12:01:38 -0800 (PST)
Received: from ( [IPv6:2001:470:1f06:1126::2]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 8A4B21B3020 for <>; Mon, 30 Nov 2015 12:01:35 -0800 (PST)
Received: (qmail 97879 invoked from network); 30 Nov 2015 20:01:34 -0000
Received: from unknown ( by with QMQP; 30 Nov 2015 20:01:34 -0000
Date: 30 Nov 2015 20:01:12 -0000
Message-ID: <20151130200112.14249.qmail@ary.lan>
From: "John Levine" <>
In-Reply-To: <>
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset=utf-8
Content-transfer-encoding: 8bit
Archived-At: <>
Subject: Re: [DNSOP] Some thoughts on special-use names, from an application standpoint
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 30 Nov 2015 20:01:42 -0000

>IMHO, I believe that there can be a way to attach resolution semantics to
>top-level names and implement this in the API level.  IOW, for DNS "above
>the DNS" in the software stack.  This is just a belief, not a certainty.

Well, sure, that's how .onion and .local work now.  But there's no
general name resolution API other than the DNS, so anything else is
specific to whatever applications the API supports.

For .onion, the usual API is SOCKS (RFC 1928).  That works if you want
a TCP-like byte stream or a UDP-like packet stream, but you're out of
luck if you want to do service discovery with MX or SRV or NAPTR, or
certificate management with TLSA, or anything else the DNS does beyond
returning A and AAAA records with addresses to be used in a connect()

To me, this is the worst problem with names that look like DNS names
but aren't in the DNS.  People will claim that they work fine, but
"fine" inevitably means some small set of applications, and they don't
care about (or aren't even aware of) everything else.