< draft-ietf-dnsop-alt-tld-00.txt   draft-ietf-dnsop-alt-tld-01.txt >
dnsop W. Kumari dnsop W. Kumari
Internet-Draft Google Internet-Draft Google
Intended status: Informational A. Sullivan Intended status: Informational A. Sullivan
Expires: December 7, 2015 Dyn Expires: January 4, 2016 Dyn
June 5, 2015 July 3, 2015
The ALT Special Use Top Level Domain The ALT Special Use Top Level Domain
draft-ietf-dnsop-alt-tld-00 draft-ietf-dnsop-alt-tld-01
Abstract Abstract
This document reserves a string (ALT) to be used as a TLD label in This document reserves a string (ALT) to be used as a TLD label in
non-DNS contexts or for names that have no meaning in a global non-DNS contexts or for names that have no meaning in a global
context. It also provides advice and guidance to developers context. It also provides advice and guidance to developers
developing alternate namespaces. developing alternate namespaces.
[ Ed note: This document lives in GitHub at: [ Ed note: This document lives in GitHub at:
https://github.com/wkumari/draft-wkumari-dnsop-alt-tld . Issues and https://github.com/wkumari/draft-wkumari-dnsop-alt-tld . Issues and
pull requests happily accpeted. ] pull requests happily accepted. ]
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on December 7, 2015. This Internet-Draft will expire on January 4, 2016.
Copyright Notice Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 16 skipping to change at page 2, line 16
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Requirements notation . . . . . . . . . . . . . . . . . . 2 1.1. Requirements notation . . . . . . . . . . . . . . . . . . 2
1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 2 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 2
2. Background . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Background . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. The ALT namespace . . . . . . . . . . . . . . . . . . . . . . 4 3. The ALT namespace . . . . . . . . . . . . . . . . . . . . . . 4
4. Advice to developers . . . . . . . . . . . . . . . . . . . . 6 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 4.1. Domain Name Reservation Considerations . . . . . . . . . 6
5.1. Domain Name Reservation Considerations . . . . . . . . . 6 5. Security Considerations . . . . . . . . . . . . . . . . . . . 7
6. Security Considerations . . . . . . . . . . . . . . . . . . . 7 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 7
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8 7. Normative References . . . . . . . . . . . . . . . . . . . . 7
8. Normative References . . . . . . . . . . . . . . . . . . . . 8
Appendix A. Changes / Author Notes. . . . . . . . . . . . . . . 8 Appendix A. Changes / Author Notes. . . . . . . . . . . . . . . 8
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 9 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 9
1. Introduction 1. Introduction
Many protocols and systems need to name entities. Names that look Many protocols and systems need to name entities. Names that look
like DNS names (a series of labels separated with dots) have become like DNS names (a series of labels separated with dots) have become
common, even in systems that are not part of the global DNS. common, even in systems that are not part of the global DNS.
This document provides a solution that may be more appropriate than This document provides a solution that may be more appropriate than
[RFC6761] in many cases. RFC6761 specifies Special Use TLDs which [RFC6761] in many cases.
should only be used in exceptional circumstances.
This document reserves the label "ALT" (short for "Alternate") as a This document reserves the label "ALT" (short for "Alternate") as a
Special Use Domain ([RFC6761]). This label is intended to be used as Special Use Domain ([RFC6761]). This label is intended to be used as
the final label (apart from the zero-length terminating label) to the final label (apart from the zero-length terminating label) to
signify that the name is not rooted in the DNS, and that normal signify that the name is not rooted in the DNS, and that normal
registration and lookup rules do not apply. registration and lookup rules do not apply.
1.1. Requirements notation 1.1. Requirements notation
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
skipping to change at page 4, line 44 skipping to change at page 4, line 42
signify that this is an alternate (non-DNS) namespace. signify that this is an alternate (non-DNS) namespace.
Alternate namespaces should differentiate themselves from other Alternate namespaces should differentiate themselves from other
alternate namespaces by choosing a name and using it in the label alternate namespaces by choosing a name and using it in the label
position just before the pseudo-TLD (ALT). For example, a group position just before the pseudo-TLD (ALT). For example, a group
wishing to create a namespace for Friends Of Olaf might choose the wishing to create a namespace for Friends Of Olaf might choose the
string "foo" and use any set of labels under foo.alt. string "foo" and use any set of labels under foo.alt.
As they are in an alternate namespace, they have no significance in As they are in an alternate namespace, they have no significance in
the regular DNS context and so should not be looked up in the DNS the regular DNS context and so should not be looked up in the DNS
context. Unfortunately simply saying that "something should not context. Some of these requests will inevitably leak into the DNS
happen" doesn't actually stop it from happening, so we need some context (for example, because clicks on a link in a browser that does
rules to guide implementors and operators. The ALT TLD is delegated not have a extension installed that implements the alternate
to "new style" AS112 servers, and so recursive and stub resolvers namespace resolution), and so the ALT TLD has been added to the
will get NXDOMAIN for all queries. "Locally Served DNS Zones" ( [RFC6303]) registry to limit how far
these flow.
1. Iterative resolvers SHOULD follow the advice in [RFC6303],
Section 3.
2. The ALT TLD is delegated to "new style" AS112 nameservers
([RFC7535] ), which will return NXDOMAIN for all queries.
These rules are intended to limit how far unintentional queries (i.e.
those not intended for the global DNS) flow.
Groups wishing to create new alternate namespaces SHOULD create their Groups wishing to create new alternate namespaces SHOULD create their
alternate namespace under a label that names their namespace, and alternate namespace under a label that names their namespace, and
under the ALT label. They SHOULD choose a label that they expect to under the ALT label. They SHOULD choose a label that they expect to
be unique and, ideally, descriptive. be unique and, ideally, descriptive. There is no IANA controlled
registry for names under the ALT TLD - it is an unmanaged namespace,
and developers are responsible for dealing with any collisions that
may occur under .alt.
[Editor note (to be removed before publication): There was
significant discussion on an IANA registry for .ALT - please consult
the lists for full thread, but the consensus seems to be that it
would be better for the IETF / IANA to not administer a registry for
this. It is expected one or more unofficial lists will be created
where people can list the strings that they are using. ]
Currently deployed projects and protocols that are using pseudo-TLDs Currently deployed projects and protocols that are using pseudo-TLDs
may decide to move under the ALT TLD, but this is not a requirement. may decide to move under the ALT TLD, but this is not a requirement.
Rather, the ALT TLD is being reserved so that future projects of a Rather, the ALT TLD is being reserved so that future projects of a
similar nature have a designated place to create alternate resolution similar nature have a designated place to create alternate resolution
namespaces that will not conflict with the regular DNS context. namespaces that will not conflict with the regular DNS context.
A number of names other than .ALT were considered and discarded. In A number of names other than .ALT were considered and discarded. In
order for this technique to be effective the names need to continue order for this technique to be effective the names need to continue
to follow both the DNS format and conventions (a prime consideration to follow both the DNS format and conventions (a prime consideration
skipping to change at page 6, line 10 skipping to change at page 6, line 10
breaking .arpa. breaking .arpa.
There is a concern that if there were placed under .arpa, There is a concern that if there were placed under .arpa,
inexperienced nameserver operators may inadvertently cover .arpa. A inexperienced nameserver operators may inadvertently cover .arpa. A
more significant concern is that the scope of the issue if the query more significant concern is that the scope of the issue if the query
does leak, and the fact that this would then make the root of the does leak, and the fact that this would then make the root of the
alternate naming namespace a third level domain, and not a second alternate naming namespace a third level domain, and not a second
one. A project may be willing to have a name of the form one. A project may be willing to have a name of the form
example.alt, but example.alt.arpa may be not look as good. example.alt, but example.alt.arpa may be not look as good.
4. Advice to developers 4. IANA Considerations
Often, a subdomain of an existing, owned domain may suffice. When
that is so, using a subdomain in the DNS is always preferable, and
safest in terms of not risking misuse, duplications, or collisions.
In the rare instance in which it is not desirable to have the name in
the DNS, the .ALT namespace may be used.
In a number of cases the purpose of the alternate name resolution
system is to provide confidentiality. For these systems the above
advice is problematic. If the query for one of these names (for
example harry.foo.example.com were to leak into the DNS, the query
would hit the recursive resolver, and (assuming empty caches) would
then hit the root, the .com name servers, the example.com name
servers and then the foo.example.com nameservers. This means that
the fact that a user is resolving harry.foo.example.com would be
visible to a large number of people. Furthermore, the
harry.foo.example.com nameservers become a good oracle to determine
what names exist, and who is trying to reach them.
For projects that are very latency sensitive, or that desire to
provide confidentiality, we recommend anchoring the alternate
namespace under the .ALT TLD.
5. IANA Considerations
The IANA is requested to add the ALT string to the "Special-Use The IANA is requested to add the ALT string to the "Special-Use
Domain Name" registry ([RFC6761], and reference this document. In Domain Name" registry ([RFC6761], and reference this document. In
addition, the "Locally Served DNS Zones" ([RFC6303]) registry should addition, the "Locally Served DNS Zones" ([RFC6303]) registry should
be updated to reference this document. be updated to reference this document.
5.1. Domain Name Reservation Considerations 4.1. Domain Name Reservation Considerations
This section is to satisfy the requirement in Section 5 of RFC6761. This section is to satisfy the requirement in Section 5 of RFC6761.
The domain "alt.", and any names falling within ".alt.", are special The domain "alt.", and any names falling within ".alt.", are special
in the following ways: in the following ways:
1. Human users are expected to know that strings that end in .alt 1. Human users are expected to know that strings that end in .alt
behave differently to normal DNS names. Users are expected to behave differently to normal DNS names. Users are expected to
have applications running on their machines that intercept stings have applications running on their machines that intercept
of the form <namespace>.alt and perform special handing of them. strings of the form <namespace>.alt and perform special handing
of them. If the user tries to resolve a name of the form
If the user tries to resolve a name of the form <namespace>.alt <namespace>.alt without the <namespace> plugin installed, the
without the <namespace> plugin installed, the request will leak request will leak into the DNS, and receive a negative response.
into the DNS, and receive a negative response.
2. Writers of application software that implement a non-DNS 2. Writers of application software that implement a non-DNS
namespace are expected to intercept names of the form namespace are expected to intercept names of the form
<namespace>.alt and perform application specific handing with <namespace>.alt and perform application specific handing with
them. Other applications are not intended to perform any special them. Other applications are not intended to perform any special
handing. handing.
3. In general, writers of name resolution APIs and libraries do not 3. In general, writers of name resolution APIs and libraries do not
need to perform special handing of these names. If developers of need to perform special handing of these names. If developers of
other namespaces implement their namespace through a "shim" or other namespaces implement their namespace through a "shim" or
skipping to change at page 7, line 44 skipping to change at page 7, line 19
ending in .alt are not DNS names, and were leaked into the DNS ending in .alt are not DNS names, and were leaked into the DNS
context (for example, by a missing browser plugin). This context (for example, by a missing browser plugin). This
information may be useful for support or debuggung purposes. information may be useful for support or debuggung purposes.
7. DNS Registries/Registrars MUST NOT grant requests to register 7. DNS Registries/Registrars MUST NOT grant requests to register
"alt" names in the normal way to any person or entity. These "alt" names in the normal way to any person or entity. These
"alt" names are defined by protocol specification to be "alt" names are defined by protocol specification to be
nonexistent, and they fall outside the set of names available for nonexistent, and they fall outside the set of names available for
allocation by registries/registrars. allocation by registries/registrars.
6. Security Considerations 5. Security Considerations
One of the motivations for the creation of the alt pseudo-TLD is that One of the motivations for the creation of the alt pseudo-TLD is that
unmanaged labels in the managed root name space are subject to unmanaged labels in the managed root name space are subject to
unexpected takeover if the manager of the root name space decides to unexpected takeover if the manager of the root name space decides to
delegate the unmanaged label. delegate the unmanaged label.
The unmanaged and "registration not required" nature of labels The unmanaged and "registration not required" nature of labels
beneath .ALT provides the opportunity for an attacker to re-use the beneath .ALT provides the opportunity for an attacker to re-use the
chosen label and thereby possibly compromise applications dependent chosen label and thereby possibly compromise applications dependent
on the special host name. on the special host name.
7. Acknowledgements 6. Acknowledgements
The authors understand that there is much politics surrounding the The authors understand that there is much politics surrounding the
delegation of a new TLD and thank the ICANN liaison in advance. delegation of a new TLD and thank the ICANN liaison in advance.
We would also like to thank Joe Abley, Mark Andrews, Marc Blanchet, We would also like to thank Joe Abley, Mark Andrews, Marc Blanchet,
John Bond, Stephane Bortzmeyer, David Cake, David Conrad, Patrik John Bond, Stephane Bortzmeyer, David Cake, David Conrad, Patrik
Faltstrom, Olafur Gudmundsson, Paul Hoffman, Joel Jaeggli, Ted Lemon, Faltstrom, Olafur Gudmundsson, Paul Hoffman, Joel Jaeggli, Ted Lemon,
Edward Lewis, George Michaelson, Ed Pascoe, Arturo Servin, and Paul Edward Lewis, George Michaelson, Ed Pascoe, Arturo Servin, and Paul
Vixie for feedback. Vixie for feedback.
8. Normative References 7. Normative References
[RFC1034] Mockapetris, P., "Domain names - concepts and facilities", [RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
STD 13, RFC 1034, November 1987. STD 13, RFC 1034, November 1987.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC6303] Andrews, M., "Locally Served DNS Zones", BCP 163, RFC [RFC6303] Andrews, M., "Locally Served DNS Zones", BCP 163, RFC
6303, July 2011. 6303, July 2011.
[RFC6761] Cheshire, S. and M. Krochmal, "Special-Use Domain Names", [RFC6761] Cheshire, S. and M. Krochmal, "Special-Use Domain Names",
RFC 6761, February 2013. RFC 6761, February 2013.
[RFC7535] Abley, J., Dickson, B., Kumari, W., and G. Michaelson,
"AS112 Redirection Using DNAME", RFC 7535, May 2015.
Appendix A. Changes / Author Notes. Appendix A. Changes / Author Notes.
[RFC Editor: Please remove this section before publication ] [RFC Editor: Please remove this section before publication ]
From -00 to 01:
o Removed the "delegated to new style AS112 servers" text -this was
legacy from the omnicient AS112 days. (Joe Abley)
o Removed the "Advice to implemntors" section. This used to
recommend that people used a subdomain of a domain in the DNS. It
was pointed out that this breaks things badly if the domain
expires.
o Added text about why we don't want to adminster a registry for
ALT.
From Individual-06 to DNSOP-00 From Individual-06 to DNSOP-00
o Nothing changed, simply renamed draft-wkumari-dnsop-alt-tld to o Nothing changed, simply renamed draft-wkumari-dnsop-alt-tld to
draft-ietf-dnsop-alt-tld draft-ietf-dnsop-alt-tld
From -05 to -06 From -05 to -06
o Incorporated comments from a number of people, including a number o Incorporated comments from a number of people, including a number
of suggestion heard at the IETF meeting in Dallas, and the DNSOP of suggestion heard at the IETF meeting in Dallas, and the DNSOP
Interim meeting in May, 2015. Interim meeting in May, 2015.
 End of changes. 16 change blocks. 
66 lines changed or deleted 51 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/