Re: [DNSOP] Some thoughts on special-use names, from an application standpoint

Jacob Appelbaum <> Sun, 29 November 2015 12:38 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 932661ACD72 for <>; Sun, 29 Nov 2015 04:38:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id TKsK2Gq0sAow for <>; Sun, 29 Nov 2015 04:38:20 -0800 (PST)
Received: from ( [IPv6:2a00:1450:400c:c09::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 12D861ACD6F for <>; Sun, 29 Nov 2015 04:38:19 -0800 (PST)
Received: by wmww144 with SMTP id w144so105450095wmw.0 for <>; Sun, 29 Nov 2015 04:38:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=5U2RkjDidjl/Lv3Hze3WRiHXqDA/Rjj9KAlDJKUIF3w=; b=1B+2CrUkzLanX8pmdM02H7iCj1O3b9GNUdJsaQghwxbrg48l+FwTJRpOAl4Jo4wFat eLYByVIhTzzVFUrnZ24/Q4t1bSCii1Cd1uXC3LHu+/XAfOD2zVLRgb3C6IJrFJIpUBBI 5Md8DexftBqf/PPECrLoOK/ZG7eVWG9+yRUCVste51V3tNDbNPC0dZ+AOxP0UbeOYUqm bCFEJvK/cZfH5U8aNitB93dwOfw1fC4DZaKr/QqsyLS3RBXY/0wAxStQv5YG2ayh4put OBpkCxdHfJMsh5gzeWW3uCs0Qfvk4lXNEhPOcTq8pXMS0jU3gfI/1SyaQWNKVwlSPGsL JaBg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=5U2RkjDidjl/Lv3Hze3WRiHXqDA/Rjj9KAlDJKUIF3w=; b=ITh4pUw09U1fBNIYCVUUX0oObKKyQ1DpSOf+bt5WenMwp0AP7UA6s0bd3nGsdfGwRD FvCY1t/R0tVdAtzrQgDp09Od+oI9ErUAbAho/ZEJ9T4HEbxOS0Ue9ftjniNnHaI+R+3Q rX1w9lLB3y9ibQh7qNyjkmmLHypn+tEBRfVnJ2yZnx+CDF0yk0iibXMYJnkHISslidwF 270MGVOqV3SRQHBX995LeY7VKv2bPjt2Bi67u39bSYp+ukNNj3NZyFWEVYbEpg11r//u XMbxtRpEI0SULYJji7SfPe9Odf2Wiwd9k+wzVOaHMH/TverWdgfaFVPRqG3FFMWFWPHt /YlA==
X-Gm-Message-State: ALoCoQnz/yBRuqLvfa6eqXR5pm4v/wN4Hcqd/yhV+SShXf332TI11nVG6jnNpNt3UQgtOeeuHsek
MIME-Version: 1.0
X-Received: by with SMTP id d21mr20885162wma.20.1448800698536; Sun, 29 Nov 2015 04:38:18 -0800 (PST)
Received: by with HTTP; Sun, 29 Nov 2015 04:38:18 -0800 (PST)
X-Originating-IP: []
In-Reply-To: <>
References: <> <>
Date: Sun, 29 Nov 2015 12:38:18 +0000
Message-ID: <>
From: Jacob Appelbaum <>
To: Philip Homburg <>
Content-Type: text/plain; charset=UTF-8
Archived-At: <>
Cc:, Mark Nottingham <>, George Michaelson <>
Subject: Re: [DNSOP] Some thoughts on special-use names, from an application standpoint
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 29 Nov 2015 12:38:21 -0000

On 11/29/15, Philip Homburg <> wrote:
>>.onion was the chosen approach precisely because nothing else but lookup
>> and s
>>ubsequent routing has to change; there are no other application-level
>> decision
>>s about .onion, and that's a feature. HTTP still works, TLS still works
>> (once
>>you can get a cert), links still work, HTML still works. Same-origin policy
>> st
>>ill works.
> Call me old-fashioned, but I think this is silly.
> The purpose of the domain name system is to name things. We have IP
> addresses and we want to refer to them using names. We do the same thing
> with mail domains, etc.

That is not the sole purpose - we use DNS for keys, for time stamps,
for data of all kinds.

> In goes a name, out comes some lower level entity.
> In this context an onion address should have been an 'IN ONION', i.e,
> might have an 'IN ONION' address for use with TOR.

And that would also require special handling...

> Now instead, .onion doesn't map to anything. In goes an onion address (and
> not a name) out comes nothing. All, .onion does is signal a particular
> transport protocol.

The above is pretty much entirely false. It does map to things. It
does also do more than signal a transport protocol. It is also a
secure self authenticating name. The name is itself meaningful in a
global context.

> So it is a clear abuse of the domain name system. It might be that it is
> the
> best option. But my guess is that is was just the easiest hack to get it
> working.

I'd hardly call all of this work easy but I hear your point.

All the best,