IETF Logo Mail Archive

Re: [DNSOP] Last Call: <draft-ietf-dnsop-onion-tld-00.txt> (The .onion Special-Use Domain Name) to Proposed Standard

Alec Muffett <alecm@fb.com> Mon, 10 August 2015 18:05 UTC

Return-Path: <prvs=5664d36374=alecm@fb.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D48301B387F; Mon, 10 Aug 2015 11:05:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.366
X-Spam-Level:
X-Spam-Status: No, score=-2.366 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4D5Pzj7bTY5V; Mon, 10 Aug 2015 11:05:04 -0700 (PDT)
Received: from mx0a-00082601.pphosted.com (mx0b-00082601.pphosted.com [67.231.153.30]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2F0741B387C; Mon, 10 Aug 2015 11:05:04 -0700 (PDT)
Received: from pps.filterd (m0004003 [127.0.0.1]) by mx0b-00082601.pphosted.com (8.14.5/8.14.5) with SMTP id t7AI4a9t006461; Mon, 10 Aug 2015 11:04:40 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fb.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=facebook; bh=jDdH1jHy2K7AYB+QyMPVqNSzU3v+dKco4MSRUAKWcfw=; b=TmLgz5iGUTgeIgqVH6wHPe8J8Vn1Kj7v4TPA6SaPfpeq2RvRzSouU9iuyuvgV6vsRV8V /Kj4VAKlK8ekcmDltkif8bXBUEwHAaiEJdF0FkUihay6r6UKuKbsNhilcBE3IcB7OmHm E80m6aUy0pnvTOoynTLmsv+UMUImBrnHp8c=
Received: from mail.thefacebook.com ([199.201.64.23]) by mx0b-00082601.pphosted.com with ESMTP id 1w70h183pr-4 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Mon, 10 Aug 2015 11:04:39 -0700
Received: from PRN-MBX02-4.TheFacebook.com ([169.254.2.114]) by PRN-CHUB05.TheFacebook.com ([fe80::9886:b2c2:db18:5ba7%12]) with mapi id 14.03.0195.001; Mon, 10 Aug 2015 11:04:26 -0700
From: Alec Muffett <alecm@fb.com>
To: Ted Hardie <ted.ietf@gmail.com>
Subject: Re: [DNSOP] Last Call: <draft-ietf-dnsop-onion-tld-00.txt> (The .onion Special-Use Domain Name) to Proposed Standard
Thread-Topic: [DNSOP] Last Call: <draft-ietf-dnsop-onion-tld-00.txt> (The .onion Special-Use Domain Name) to Proposed Standard
Thread-Index: AQHQvmrojAhJLnn8xU++NMtyLYg/4p4BKKEAgAAK5gCAAA/pgIABQ5uAgAOK6QCAABSIgA==
Date: Mon, 10 Aug 2015 18:04:25 +0000
Message-ID: <CD2ABBDD-F9CA-4A27-A0B6-3CDD37DB1AB4@fb.com>
References: <20150714192438.1138.96059.idtracker@ietfa.amsl.com> <D1EA295A.DFA3%edward.lewis@icann.org> <55C4C0DA.8070502@w3.org> <D1EA43FA.DFB8%edward.lewis@icann.org> <554DA9E5-2071-48A2-8AC8-DD07DE3B2BB0@fb.com> <CA+9kkMAcW_g28qAZ8SKbqefZfdDxzdM7=0D_of7f_qLm08d3wA@mail.gmail.com>
In-Reply-To: <CA+9kkMAcW_g28qAZ8SKbqefZfdDxzdM7=0D_of7f_qLm08d3wA@mail.gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [192.168.52.123]
Content-Type: multipart/signed; boundary="Apple-Mail=_DECDF04E-2286-4D94-84E0-FD5DD8D38E5F"; protocol="application/pgp-signature"; micalg="pgp-sha512"
MIME-Version: 1.0
X-Proofpoint-Spam-Reason: safe
X-FB-Internal: Safe
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.14.151, 1.0.33, 0.0.0000 definitions=2015-08-10_03:2015-08-10,2015-08-10,1970-01-01 signatures=0
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/_QH7YtRzo6e3VuomvuqjzDVZwGk>
Cc: Edward Lewis <edward.lewis@icann.org>, Mark Nottingham <mnot@mnot.net>, "dnsop@ietf.org" <dnsop@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>, Richard Barnes <rlb@ipv.sx>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Aug 2015 18:05:07 -0000

On Aug 10, 2015, at 9:50 AM, Ted Hardie <ted.ietf@gmail.com> wrote:
> 
> I believe that the registry we have currently defined doesn't do a great job of capturing the actual needs here.  It doesn't define what the larger namespace encompassing the DNS is or could be well, and it doesn't provide a way to note the continuing evolution of the non-DNS resolution processes.  It does a fine job with .example since that's fundamentally just a reservation, but .onion is showing its warts.
> 
> I understand the urgency of the .onion case, but I suspect that we're going to have to split it back out of the current registry once we have fixed the problems with the registry itself.  I am wondering if there is a way forward here where we permit the registration in the existing registry, but with a note that it will likely move into either a different registry or an expanded registry in the future.
> 



Hi Ted, thanks for the feedback.

I don’t see any question in the above which impinges upon the draft so much as being related to internal operations of IETF and/or DNSOP, but I’d like to reinforce that CA/B-Forum are apparently happy so long as “.onion” is part of the recognised global namespace.

The minutiae of which bucket that lives in is probably not an issue? (Tag: Mark Nottingham, Richard Barnes)

It strikes me that if labels “beneath” the .onion special domain name may in future exceed the bounds expected of DNS - but the root is acknowledged to have global legitimacy - then it’s all to the better that DNS software is aware of “.onion” and basically ignores it, which it the other intent of the draft.


In an e-mail elsewhere I recently noted:

>> A scan of section 3.2.2 of RFC3986 “Uniform Resource Identifier (URI): Generic Syntax” - I won’t claim to have read the whole thing - seems quite open to the existence of [namespaces other than DNS being used in URIs]:
>> 
>> A host identified by a registered name is a sequence of characters usually intended for lookup within a locally defined host or service name registry, though the URI's scheme-specific semantics may require that a specific registry (or fixed name table) be used instead. The most common name registry mechanism is the Domain Name System (DNS).
>> 
>> [...dns format description elided...]
>> 
>> This specification does not mandate a particular registered name lookup technology and therefore does not restrict the syntax of reg-name beyond what is necessary for interoperability. Instead, it delegates the issue of registered name syntax conformance to the operating system of each application performing URI resolution, and that operating system decides what it will allow for the purpose of host identification. A URI resolution implementation might use DNS, host tables, yellow pages, NetInfo, WINS, or any other system for lookup of registered names. However, a globally scoped naming system, such as DNS fully qualified domain names, is necessary for URIs intended to have global scope. URI producers should use names that conform to the DNS syntax, even when use of DNS is not immediately apparent, and should limit these names to no more than 255 characters in length.

Nothing appears in there about DNS’s (semantic) 63-character label lengths, instead the constraint defined is DNS “syntax” - arguably "strings of alnumhyphen separated by dots" - and an overall 255-character length limit.

Next-generation Onion Address Syntax has not yet been agreed, but the current plans exist within this syntax-and-255-limit definition, eg:
> a1uik0w1gmfq3i5ievxdm9ceu27e88g6o7pe0rffdw9jmntwkdsd.onion # first label exceeds 63 characters, hypothetical illustration only
Existing Onion-Address Syntax (facebookcorewwwi.onion) is completely within existing DNS’s apparent semantics as well as syntax.

Of course, this is orthogonal to the matter of registries within registries which you raise above, but I feel it worth raising.

    -a

—
Alec Muffett
Security Infrastructure
Facebook Engineering
London

v2.23.0 | Report a Bug | By Email