Special Use Domain '.home.arpa'
Cisco Systems
Paris
France
pierre.pfister@darou.fr
Nominum, Inc.
800 Bridge Parkway
Redwood City
California
United States of America
94065
+1 650 381 6000
ted.lemon@nominum.com
Homenet
TLD
RFC6761
.home.arpa
This document specifies the behavior that is expected from the Domain Name System with
regard to DNS queries for names ending with '.home.arpa.', and designates this
domain as a special-use domain name. 'home.arpa' is designated for non-unique use
in residential home networks. Home Networking Control Protocol (HNCP) is updated to use the
'.home.arpa' domain instead of '.home'.
Users and devices within a home network (hereafter "homenet") require devices and
services to be identified by names that are unique within the boundaries of the homenet
. The naming mechanism needs to function without configuration
from the user. While it may be possible for a name to be delegated by an ISP, homenets
must also function in the absence of such a delegation. A default name with a scope
limited to each individual homenet needs to be used.
This document corrects an error in , replacing '.home' with
'.home.arpa' as the default domain-name for homenets. '.home' had been selected as the
most user-friendly option. However, there are existing uses of '.home' that may be in
conflict with this use: evidence indicates that '.home' queries frequently leak out and
reach the root name servers .
In addition, it's necessary, for compatibility with DNSSEC (),
that an unsigned delegation be present for the name. There is an existing process for
allocating names under '.arpa' . No such process is available
for requesting a similar delegation in the root at the request of the IETF, which does
not administer that zone. As a result, the use of '.home' is deprecated.
This document registers the domain '.home.arpa.' as a special-use domain name and specifies the behavior that is expected from the Domain Name
System with regard to DNS queries for names whose rightmost non-terminal labels are
'.home.arpa'. Queries for names ending with '.home.arpa.' are of local significance
within the scope of a homenet, meaning that identical queries will result in different
results from one homenet to another. In other words, a name ending in '.home.arpa' is
not globally unique.
Although this document makes specific reference to RFC7788, it is not intended that
the use of '.home.arpa' be restricted solely to networks where HNCP is deployed; it is
rather the case that '.home.arpa' is the correct domain for uses like the one described
for '.home' in RFC7788: local name service in residential homenets.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD
NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be
interpreted as described in BCP 14
when, and only when, they appear in all capitals, as shown here.
The domain name '.home.arpa.' is to be used for naming within residential
homenets. Names ending with '.home.arpa.' reference a locally-served zone, the contents
of which are unique only to a particular homenet, and are not globally unique. Such
names refer to nodes and/or services that are located within a homenet (e.g., a printer,
or a toaster).
DNS queries for names ending with '.home.arpa.' are resolved using local resolvers on the
homenet. Such queries MUST NOT be recursively forwarded to servers outside the logical
boundaries of the homenet.
Some service discovery user interfaces that are expected to be used on homenets conceal
information such as domain names from end users. However, it is still expected that in
some cases, users will need to see, remember, and even type, names ending with
'.home.arpa'. It is therefore desirable that users identify the domain and
understand that using it expresses the intention to connect to a service that is specific
to the homenet to which they are connected. Enforcing the fulfillment of this
intention is out of scope for this document.
This section defines the behavior of systems involved in domain name resolution when
resolving queries for names ending with '.home.arpa.' (as per ).
Users can use names ending with '.home.arpa.' just as they would use any other domain
name. The '.home.arpa' name is chosen to be readily recognized by users as signifying that
the name is addressing a service on the homenet to which the user's device is connected.
Application software SHOULD NOT treat names ending in '.home.arpa' differently than
other names. In particular, there is no basis for trusting names that are subdomains
of '.home.arpa' (see ).
Name resolution APIs and libraries MUST NOT recognize names that end in '.home.arpa.' as
special and MUST NOT treat them differently. Name resolution APIs MUST send queries for
such names to a recursive DNS server that is configured to be authoritative for the
'.home.arpa' zone appropriate to the homenet. One or more IP addresses for recursive
DNS servers will usually be supplied to the client through router advertisements or
DHCP. If a host is configured to use a resolver other than one that is authoritative
for the appropriate '.home.arpa' zone, the client may be unable to resolve, or may receive
incorrect results for, names in sub domains of '.home.arpa'.
Unless configured otherwise, recursive resolvers and DNS proxies MUST behave as
described in Locally Served Zones ( Section 3). Recursive
resolvers that can be used in a homenet MUST be configurable with a delegation to an
authoritative server for that particular homenet's instance of the domain
'.home.arpa', and, when so configured, MUST NOT attempt to look up a delegation for
'.home.arpa' in the public DNS. Of course, from an implementation standpoint it may
be that a hybrid name server acts as a caching resolver or DNS proxy for non-local
domains and as an authoritative server for '.home.arpa' and other locally served
zones, responding directly to queries for subdomains of '.home.arpa' rather than
using a delegation.
No special processing of '.home.arpa' is required for authoritative DNS server
implementations. However, if an authoritative DNS server does any sort of sanity
checking of the delegation for zones for which it is configured to be authoritative,
it must be possible to disable this sanity check for '.home.arpa' or ignore the
results.
DNS server operators MAY configure an authoritative server for '.home.arpa' for use
in homenets and other home networks. The operator for the DNS servers authoritative
for '.home.arpa' in the global DNS will configure any such servers as described in
.
'home.arpa' is a subdomain of the 'arpa' top-level domain, which is operated by IANA
under the authority of the Internet Architecture Board according to the rules established
in . There are no other registrars for .arpa.
The final paragraph of Home Networking Control Protocol , section
8, is updated as follows:
OLD:
Names and unqualified zones are used in an HNCP network to provide naming and service
discovery with local significance. A network-wide zone is appended to all single
labels or unqualified zones in order to qualify them. ".home" is the default; however,
an administrator MAY configure the announcement of a Domain-Name TLV (Section 10.6)
for the network to use a different one. In case multiple are announced, the domain of
the node with the greatest node identifier takes precedence.
NEW:
Names and unqualified zones are used in an HNCP network to provide naming and service
discovery with local significance. A network-wide zone is appended to all single
labels or unqualified zones in order to qualify them. '.home.arpa' is the default;
however, an administrator MAY configure the announcement of a Domain-Name TLV (Section
10.6) for the network to use a different one. In case multiple are announced, the
domain of the node with the greatest node identifier takes precedence.
The '.home.arpa' special-use name does not require a special resolution protocol. Names
for which the rightmost two labels are '.home.arpa' are resolved using the DNS
protocol .
A DNS record that is returned as a response to a query for an FQDN in the domain
'.home.arpa.' is expected to have local significance. It is expected to be returned by
a server involved in name resolution for the homenet the device is connected in.
However, such response MUST NOT be considered more trustworthy than would be a similar
response for any other DNS query.
Because '.home.arpa' is not globally scoped and cannot be secured using DNSSEC based on the
root domain's trust anchor, there is no way to tell, using a standard DNS query, in which
homenet scope an answer belongs. Consequently, users may experience surprising results
with such names when roaming to different homenets. To prevent this from happening, it
may be useful for the resolver to identify different homenets on which it has resolved
names, but this is out of scope for this document.
It is not possible to install a trust anchor for this zone in the '.arpa' zone. The reason
for this is that in order to do so, it would be necessary to have the key-signing key for
the zone ( Section 5). Since the zone is not globally unique, no
one key would work.
An alternative would be to install a authenticated denial of existence ( Section 3.2). However, this assumes that validation is being done on
a caching resolver that is aware of the special local meaning of '.home.arpa'. If a
host stub resolver attempts to validate a name in '.home.arpa', an authenticated denial
of existence of 'home' as a subdomain of 'arpa.' would cause the validation to fail.
Therefore, the only delegation that will allow names under '.home.arpa' to be resolved
is an unsigned delegation.
Consequently, unless a trust anchor for the particular instance of the '.home.arpa' zone
being validated is manually configured on the validating resolver, DNSSEC signing of
names within the '.home.arpa' zone is not possible.
Although in principle it might be useful to install a trust anchor for a particular
instance of '.home.arpa', it's reasonable to expect that a host with such a trust anchor
might from time to time connect to more than one network with its own instance of
'.home.arpa'. Such a host would be unable to access services on any instance of
'.home.arpa' other than the one for which a trust anchor was configured.
It is in principle possible to attach an identifier to an instance of '.home.arpa' that
could be used to identify which trust anchor to rely on for validating names in that
particular instance. However, the security implications of this are complicated, and
such a mechanism, as well as a discussion of those implications, is out of scope for
this document.
In order to be fully functional, there must be a delegation of 'home.arpa' in the
'.arpa' zone . This delegation MUST NOT be signed, MUST NOT
include a DS record, and MUST point to one or more black hole servers, for example
BLACKHOLE-1.IANA.ORG and BLACKHOLE-2.IANA.ORG. The reason that this delegation must not
be signed is that not signing the delegation breaks the DNSSEC chain of trust, which
prevents a validating stub resolver from rejecting names published under 'home.arpa' on
a homenet name server.
IANA is requested to record the domain name '.home.arpa' in the Special-Use Domain Names
registry .
The authors would like to thank Stuart Cheshire for his prior work on '.home', as well as
the homenet chairs: Mark Townsley and Ray Bellis. We would also like to thank Paul Hoffman
for providing review and comments on the IANA considerations section and Suzanne Woolf and
Ray Bellis for their detailed review comments.
New gTLD Collision Risk Mitigation
New gTLD Collision Occurence Management
Special-Use Domain Names Registry