]> ICANN

12025 Waterfront Drive, Suite 300 Los Angeles CA 90094-2536 USA +1 519 670 9327 joe.abley@icann.org

703 Palmer Drive Herndon VA 20170 brian.peter.dickson@gmail.com

Many sites connected to the Internet make use of IPv4 addresses that are not globally unique. Examples are the addresses designated in RFC 1918 for private use within individual sites. Devices in such environments may occasionally originate Domain Name System (DNS) queries (so-called "reverse lookups") corresponding to those private-use addresses. Since the addresses concerned have only local significance, it is good practice for site administrators to ensure that such queries are answered locally. However, it is not uncommon for such queries to follow the normal delegation path in the public DNS instead of being answered within the site. It is not possible for public DNS servers to give useful answers to such queries. In addition, due to the wide deployment of private-use addresses and the continuing growth of the Internet, the volume of such queries is large and growing. The AS112 project aims to provide a distributed sink for such queries in order to reduce the load on the IN-ADDR.ARPA authoritative servers. The AS112 project is named after the Autonomous System Number (ASN) that was assigned to it. The AS112 project does not accommodate the addition and removal of DNS zones elegantly. Since additional zones of definitively local significance are known to exist, this presents a problem. This document describes modifications to the deployment and use of AS112 infrastructure that will allow zones to be added and dropped much more easily.

The AS112 project is described in detail in . The AS112 nameservers (PRISONER.IANA.ORG, BLACKHOLE-1.IANA.ORG and BLACKHOLE-2.IANA.ORG) are required to answer authoritatively for each and every zone that is delegated to them. If a zone is delegated to AS112 nameservers without those nameservers being configured ahead of time to answer authoritatively for that zone, there is a detrimental impact on clients following referrals for queries within that zone. This misconfiguration is colloquially known as a "lame delegation". AS112 nameserver operators are only loosely-coordinated, and hence adding support for a new zone (or, correspondingly, removing support for a zone that is no longer delegated to the AS112 nameservers) is difficult to accomplish with accuracy; testing AS112 nameservers remotely to see whether they are configured to answer authoritatively for a particular zone is similarly challenging since AS112 nodes are distributed using anycast. This document proposes that instead of delegating individual zones to AS112 nameservers, DNAME redirection be used instead. This approach has the advantage that query traffic for arbitrary parts of the namespace can be directed to AS112 servers without those servers having to be reconfigured every time a zone is added or removed.

A new zone, EMPTY.AS112.ARPA, is delegated to a single nameserver BLACKHOLE.AS112.ARPA (IPv4 address TBAv4-1, IPv6 address TBAv6-1). The IPv4 address TBAv4-1 has been assigned by the IANA such that the address is coverable by a single IPv4 /24 prefix, and that no other address covered by that prefix is in use. The IPv6 address TBAv6-1 has been similarly assigned such that no other address within a covering /48 is in use. This addressing plan accommodates the anycast distribution of the BLACKHOLE.AS112.ARPA service using a single IPv4 service prefix and a single IPv6 service prefix. See for more discussion of anycast service distribution; see for the specific requests this document makes of the IANA. Some or all of the existing AS112 nodes should be extended to support these new nameserver addresses, and to host the EMPTY.AS112.ARPA zone. See for guidance to AS112 server operators. Each part of the DNS namespace for which it is desirable to sink queries at AS112 nameservers should be redirected to the EMPTY.AS112.ARPA zone using DNAME. See for guidance to zone administrators.

The guidance provided in is extended to include configuration of the TBAv4-1, and TBAv6-1 addresses, and the corresponding announcement of covering routes for those addresses, and to host the EMPTY.AS112.ARPA zone. IPv4-only AS112 nodes should only configure the TBAv4-1 nameserver address; IPv6-only AS112 nodes should only configure the TBAv6-1 nameserver address. It is only necessary for a single AS112 server operator to implement these extensions for this mechanism to function as intended. It is beneficial if many more than one AS112 server operators make these changes, however, since that provides for greater distribution and capacity for the nameservers serving the EMPTY.AS112.ARPA zone. It is not necessary for all AS112 server operators to make these changes for the mechanism to be viable. Detailed instructions for the implementation of these extensions is included in .

Once the EMPTY.AS112.ARPA zone has been deployed using the nameservers described in , redirections may be installed in the DNS namespace for queries that are intended to be answered by the AS112 infrastructure. For example, reverse queries corresponding to TEST-NET-1 (192.0.2.0/24) could be redirected to AS112 nameservers by installing a DNAME resource record in the 192.IN-ADDR.ARPA zone, as illustrated in .

@ORIGIN 192.IN-ADDR.ARPA. ... 2.0.IN-ADDR.ARPA. IN DNAME EMPTY.AS112.ARPA. ...

There is no practical limit to the number of redirections that can be configured in this fashion. Redirection of a particular part of the namespace to EMPTY.AS112.ARPA can be removed at any time, under the control of the administrators of the corresponding part of the DNS namespace. No changes to deployed AS112 nodes incorporating the extensions described in this document are required to support additional redirections. A list of possible candidates for AS112 redirection can be found in . DNAME resource records deployed for this purpose can be signed with DNSSEC, providing a secure means of authenticating the legitimacy of each redirection.

Existing guidance to AS112 server operators to accept and respond to queries directed at the PRISONER.IANA.ORG, BLACKHOLE-1.IANA.ORG and BLACKHOLE-2.IANA.ORG nameservers should continue to be followed, and no changes to the delegation of existing zones hosted on AS112 servers should occur. These measures are intended to provide continuity of operations for zones currently delegated to AS112 servers and avoid any accidental client impact due to the changes proposed in this document. Once it has become empirically and quantitatively clear that the EMPTY.AS112.ARPA zone is well-hosted to the extent that it is thought that the existing, unmodified AS112 servers host 10.IN-ADDR.ARPA, the decision might be made to replace the delegation of those zones with DNAME redirection. Once implemented, the PRISONER.IANA.ORG, BLACKHOLE-1.IANA.ORG and BLACKHOLE-2.IANA.ORG nameservers could be retired. This document gives no such direction to the IANA, however.

All zones listed in are candidates for AS112 redirection. No doubt there are many others that are worth mentioning. Future revisions of this draft should mention them. This document is concerned with provision of the AS112 redirection service, and does not specify that any particular AS112 redirection be put in place.

DNAME was specified a significant time following the original implementations of , and hence universal deployment cannot be expected. specifies a fall-back mechanism which makes use of synthesised CNAME RRSets for this reason. It is a fundamental design requirement of AS112 service that responses be cached. We can safely declare DNAME support on the authoritative server to be a prerequisite for DNAME redirection, but the cases where individual elements in resolver chains do not support DNAME processing deserve closer examination. The expected behaviour when a DNAME response is supplied to a resolver that does not support DNAME is that the accompanying, synthesised CNAME will be accepted and cached. Re-query frequency will be determined by the TTLs returned by the DNAME-responding authoritative servers. Resolution of the CNAME target is straightforward and functions exactly as the AS112 project has operated since it was deployed. The negative caching of the CNAME target follows the parameters defined in the target zone, EMPTY.AS112.ARPA. This has the side-effects that all redirected names ultimately landing on an AS112 node will be negatively-cached with the same parameters, but this lack of flexibility seems non-contraversial; the effect of reducing the negative cache TTL would be increased query volume on the AS112 node operator concerned, and hence controls seem well-alligned with operation. Validating resolvers (i.e. those requesting and processing DNSSEC metadata) are required to implement DNAME, and hence should not make use of synthesised CNAME RRs. The lack of signature over a received CNAME RR should hence not limit the ability to sign the redirection point, and for those signatures to be validated. In the case where a recursive server implements DNAME, but DNAME is not implemented in a stub resolver, CNAME synthesis will again provide a viable path. DNAME support on AS112 nodes themselves is never required under this proposal.

This document proposes a delegation within the ARPA domain, and, in accordance with , IAB review and approval of the delegation of AS112.ARPA as described in is required. Once IAB approval has been obtained, this section may be removed prior to publication or updated to include text that confirms the IAB's decision, at the IAB's discretion.

The IANA is requested to assign one IPv4 /24 netblock and one IPv6 /48 netblock that, to the best of their knowledge, should be suitable for announcement as a single IPv4 /24 prefix and a single IPv6 prefix on the global Internet, respectively. Once assigned, all occurrences of TBAv4 in this document should be replaced by the IPv4 netblock assigned, in conventional notation. Occurrences of TBAv4-1 should be replaced with an address from the netblock with lowest octet set to 1. Similarly, all occurrences of TBAv6 in this document should be replaced by the IPv6 netblock assigned, in conventional notation, and TBAv6-1 replaced with an address from that netblock with the lowest 48 bits set to the value 1. Once those changes are made, this paragraph may be removed prior to publication. The netblocks assigned by the IANA for this purpose are TBAv4 and TBAv6.

The IANA is requested to host and sign the zone AS112.ARPA using nameservers and DNSSEC signing infrastructure of their choosing, as shown in . SOA RDATA may be adjusted by the IANA to suit their operational requirements.

$ORIGIN AS112.ARPA. $TTL 3600 @ IN SOA BLACKHOLE.AS112.ARPA. NOC.DNS.ICANN.ORG. ( 1 ; serial 10800 ; refresh 3600 ; retry 1209600 ; expire 3600 ) ; negative cache TTL NS A.IANA-SERVERS.NET. NS B.IANA-SERVERS.NET. NS C.IANA-SERVERS.NET. BLACKHOLE A TBAv4-1 AAAA TBAv6-1 EMPTY NS BLACKHOLE

Once the AS112.ARPA zone is being hosted in production, the IANA is requested to arrange delegation from the ARPA zone according to normal IANA procedure for ARPA zone management, to the nameservers used in carrying out the direction in . The following metadata is suggested for the delegation, but may be changed by the IANA if required: Name Value Domain: AS112.ARPA Administrative Contact: Internet Architecture Board (IAB) c/o IETF Administrative Support Activity, ISOC Technical Contact: Internet Assigned Numbers Authority (IANA) Nameservers: As chosen by the IANA, see DS-RDATA: As chosen by the IANA, see

This document presents no known additional security concerns to the Internet. For security considerations relating to AS112 service in general, see .

Your name here, etc.

&rfc1035; &rfc2308; &rfc6304; &rfc6672; &rfc1918; &rfc3172; &rfc4033; &rfc4786; &rfc5737; &rfc6303;

The following changes are required to to provide support for AS112 redirection. It is proposed that a successor document to be prepared for joint publication with this document in the interests of providing clear advice to prospective new AS112 operators. The following sub-sections are hence provided mainly only to describe the scope of the changes required for 6304bis, and are not intended for publication in this document. References to this section in this document should ultimately be replaced with references to 6304bis.

The list of zones that the AS112 nameserver should answer authoritatively for is extended to include EMPTY.AS112.ARPA.

The nameserver BLACKHOLE.AS112.ARPA (IPv4 address TBAv4-1, IPv6 address TBAv6-1) is added to the list of nameserver addresses that the AS112 node should support. The IPv4 prefix TBAv4/24 and the IPv6 prefix TBAv6/48 are added as new prefixes to be originated.

The sample configuration provided in this section is extended to accommodate the IPv4 and IPv6 service prefixes associated with AS112 redirection, TBAv4/24 and TBAv6/48, respectively.

The sample configuration provided in this section is extended to accommodate the TBAv4-1 and TBAv6-1 addresses and the EMPTY.AS112.ARPA zone. The contents of the EMPTY.AS112.ARPA zone should be specified (nameservers differ from that included as "db.empty").

Testing should be extended to test for correct hosting of the EMPTY.AS112.ARPA zone.

A reference to this document should be included.

Mention should be made that AS112 redirection, as specified in this document, supports DNSSEC in the sense that the DNAME records which signal the redirection can be signed.

A reference to this document should be included.

This section (and sub-sections) to be removed prior to publication.

Initial write-up of Brian's idea, circulated for the purposes of entertainment.