| < draft-ietf-dnsop-alt-tld-11.txt | draft-ietf-dnsop-alt-tld-12.txt > | |||
|---|---|---|---|---|
| dnsop W. Kumari | dnsop W. Kumari | |||
| Internet-Draft Google | Internet-Draft Google | |||
| Intended status: Informational A. Sullivan | Intended status: Informational A. Sullivan | |||
| Expires: July 13, 2019 Oracle | Expires: February 24, 2020 Oracle | |||
| January 9, 2019 | August 23, 2019 | |||
| The ALT Special Use Top Level Domain | The ALT Special Use Top Level Domain | |||
| draft-ietf-dnsop-alt-tld-11 | draft-ietf-dnsop-alt-tld-12 | |||
| Abstract | Abstract | |||
| This document reserves a string (ALT) to be used as a TLD label in | This document reserves a string (ALT) to be used as a TLD label in | |||
| non-DNS contexts. It also provides advice and guidance to developers | non-DNS contexts. It also provides advice and guidance to developers | |||
| developing alternative namespaces. | developing alternative namespaces. | |||
| [Ed note: Text inside square brackets ([]) is additional background | [Ed note: Text inside square brackets ([]) is additional background | |||
| information, answers to frequently asked questions, general musings, | information, answers to frequently asked questions, general musings, | |||
| etc. They will be removed before publication. This document is | etc. They will be removed before publication. This document is | |||
| skipping to change at page 1, line 41 ¶ | skipping to change at page 1, line 41 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on July 13, 2019. | This Internet-Draft will expire on February 24, 2020. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2019 IETF Trust and the persons identified as the | Copyright (c) 2019 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 3, line 10 ¶ | skipping to change at page 3, line 10 ¶ | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| document are to be interpreted as described in [RFC2119]. | document are to be interpreted as described in [RFC2119]. | |||
| 1.2. Terminology | 1.2. Terminology | |||
| This document assumes familiarity with DNS terms and concepts. | This document assumes familiarity with DNS terms and concepts. | |||
| Please see [RFC1034] for background and concepts, and [RFC7719] for | Please see [RFC1034] for background and concepts, and [RFC7719] for | |||
| terminology. Readers are also expected to be familiar with the | terminology. Readers are also expected to be familiar with the | |||
| discussions in [I-D.ietf-dnsop-sutld-ps] | discussions in [RFC8244] | |||
| o DNS name: Domain names that are intended to be used with DNS | o DNS name: Domain names that are intended to be used with DNS | |||
| resolution, either in the global DNS or in some other context | resolution, either in the global DNS or in some other context | |||
| o DNS context: The namespace anchored at the globally-unique DNS | o DNS context: The namespace anchored at the globally-unique DNS | |||
| root. This is the namespace or context that "normal" DNS uses. | root. This is the namespace or context that "normal" DNS uses. | |||
| o non-DNS context: Any other (alternative) namespace. | o non-DNS context: Any other (alternative) namespace. | |||
| o pseudo-TLD: A label that appears in a fully-qualified domain name | o pseudo-TLD: A label that appears in a fully-qualified domain name | |||
| skipping to change at page 4, line 4 ¶ | skipping to change at page 4, line 4 ¶ | |||
| These strings are not registered anywhere nor are they part of the | These strings are not registered anywhere nor are they part of the | |||
| DNS. However, to users and to some applications, they appear to be | DNS. However, to users and to some applications, they appear to be | |||
| TLDs; and issues may arise if they are looked up in the DNS. This | TLDs; and issues may arise if they are looked up in the DNS. This | |||
| document suggests that name resolution libraries (stub resolvers) | document suggests that name resolution libraries (stub resolvers) | |||
| recognize names ending in ".alt" as special, and not attempt to look | recognize names ending in ".alt" as special, and not attempt to look | |||
| them up using the DNS protocol in order to limit the effects of | them up using the DNS protocol in order to limit the effects of | |||
| queries accidentally leaking into the DNS. | queries accidentally leaking into the DNS. | |||
| The techniques in this document are primarily intended to address the | The techniques in this document are primarily intended to address the | |||
| "Experimental Squatting Problem", the "Land Rush Problem" and "Name | "Experimental Squatting Problem", the "Land Rush Problem" and "Name | |||
| Collisions" issues discussed in [I-D.ietf-dnsop-sutld-ps] (which | Collisions" issues discussed in [RFC8244] (which contains much | |||
| contains much additional background, etc). | additional background, etc). | |||
| 3. The ALT namespace | 3. The ALT namespace | |||
| This document reserves the ALT label, using the [RFC6761] process, | This document reserves the ALT label, using the [RFC6761] process, | |||
| for use as an unmanaged pseudo-TLD namespace. The ALT label MAY be | for use as an unmanaged pseudo-TLD namespace. The ALT label MAY be | |||
| used in any domain name as a pseudo-TLD to signify that this is an | used in any domain name as a pseudo-TLD to signify that this is an | |||
| alternative (non-DNS) namespace, and should not be looked up in a DNS | alternative (non-DNS) namespace, and should not be looked up in a DNS | |||
| context. | context. | |||
| Alternative namespaces should differentiate themselves from other | Alternative namespaces should differentiate themselves from other | |||
| skipping to change at page 6, line 47 ¶ | skipping to change at page 6, line 47 ¶ | |||
| a DNS name, and so should not attempt to be resolved using the DNS. | a DNS name, and so should not attempt to be resolved using the DNS. | |||
| Unfortunately, these queries will undoubtedly leak into the DNS - for | Unfortunately, these queries will undoubtedly leak into the DNS - for | |||
| example, a user may receive an email containing a hostname which | example, a user may receive an email containing a hostname which | |||
| should be resolved using a specific resolution context (implemented | should be resolved using a specific resolution context (implemented | |||
| by a specific application or resolution mechanism). If the user does | by a specific application or resolution mechanism). If the user does | |||
| not have that particular application installed (and their stub | not have that particular application installed (and their stub | |||
| resolver library has not been updated to ignore queries for names | resolver library has not been updated to ignore queries for names | |||
| ending in .alt), it is likely that this will instead be resolved | ending in .alt), it is likely that this will instead be resolved | |||
| using the DNS. This DNS query will likely be sent to the configured | using the DNS. This DNS query will likely be sent to the configured | |||
| iterative resolver. If this resolver does not have a cache entry for | iterative resolver. If this resolver does not have a cache entry for | |||
| this name (or, if the resolver implements | this name (or, if the resolver implements [RFC8198], a entry for | |||
| [I-D.ietf-dnsop-nsec-aggressiveuse], a entry for .alt) this query | .alt) this query will likely be sent to the DNS root servers. This | |||
| will likely be sent to the DNS root servers. This exposes the | exposes the (leaked) query name to the operator of the resolver, the | |||
| (leaked) query name to the operator of the resolver, the operator of | operator of the queried DNS root server, and anyone watching queries | |||
| the queried DNS root server, and anyone watching queries along the | along the path. This is a general problem with alternative name | |||
| path. This is a general problem with alternative name spaces and not | spaces and not confined to names ending in .alt. | |||
| confined to names ending in .alt. | ||||
| 6. Security Considerations | 6. Security Considerations | |||
| One of the motivations for the creation of the .alt pseudo-TLD is | One of the motivations for the creation of the .alt pseudo-TLD is | |||
| that unmanaged labels in the managed root name space are subject to | that unmanaged labels in the managed root name space are subject to | |||
| unexpected takeover. This could occur if the manager of the root | unexpected takeover. This could occur if the manager of the root | |||
| name space decides to delegate the unmanaged label. | name space decides to delegate the unmanaged label. | |||
| The unmanaged and "registration not required" nature of labels | The unmanaged and "registration not required" nature of labels | |||
| beneath .alt provides the opportunity for an attacker to re-use the | beneath .alt provides the opportunity for an attacker to re-use the | |||
| skipping to change at page 7, line 43 ¶ | skipping to change at page 7, line 43 ¶ | |||
| [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", | [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", | |||
| STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987, | STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987, | |||
| <https://www.rfc-editor.org/info/rfc1034>. | <https://www.rfc-editor.org/info/rfc1034>. | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
| <https://www.rfc-editor.org/info/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
| [RFC6303] Andrews, M., "Locally Served DNS Zones", BCP 163, | ||||
| RFC 6303, DOI 10.17487/RFC6303, July 2011, | ||||
| <https://www.rfc-editor.org/info/rfc6303>. | ||||
| [RFC6761] Cheshire, S. and M. Krochmal, "Special-Use Domain Names", | [RFC6761] Cheshire, S. and M. Krochmal, "Special-Use Domain Names", | |||
| RFC 6761, DOI 10.17487/RFC6761, February 2013, | RFC 6761, DOI 10.17487/RFC6761, February 2013, | |||
| <https://www.rfc-editor.org/info/rfc6761>. | <https://www.rfc-editor.org/info/rfc6761>. | |||
| [RFC7686] Appelbaum, J. and A. Muffett, "The ".onion" Special-Use | [RFC7686] Appelbaum, J. and A. Muffett, "The ".onion" Special-Use | |||
| Domain Name", RFC 7686, DOI 10.17487/RFC7686, October | Domain Name", RFC 7686, DOI 10.17487/RFC7686, October | |||
| 2015, <https://www.rfc-editor.org/info/rfc7686>. | 2015, <https://www.rfc-editor.org/info/rfc7686>. | |||
| [RFC7719] Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS | [RFC7719] Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS | |||
| Terminology", RFC 7719, DOI 10.17487/RFC7719, December | Terminology", RFC 7719, DOI 10.17487/RFC7719, December | |||
| 2015, <https://www.rfc-editor.org/info/rfc7719>. | 2015, <https://www.rfc-editor.org/info/rfc7719>. | |||
| 8.2. Informative References | 8.2. Informative References | |||
| [Dingledine2004] | [Dingledine2004] | |||
| Dingledine, R., Mathewson, N., and P. Syverson, "Tor: The | Dingledine, R., Mathewson, N., and P. Syverson, "Tor: The | |||
| Second-Generation Onion Router", , 8 2004, | Second-Generation Onion Router", , 8 2004, | |||
| <<https://svn.torproject.org/svn/projects/design-paper/ | <<https://svn.torproject.org/svn/projects/design-paper/ | |||
| tor-design.html>>. | tor-design.html>>. | |||
| [I-D.ietf-dnsop-nsec-aggressiveuse] | [RFC8198] Fujiwara, K., Kato, A., and W. Kumari, "Aggressive Use of | |||
| Fujiwara, K., Kato, A., and W. Kumari, "Aggressive use of | DNSSEC-Validated Cache", RFC 8198, DOI 10.17487/RFC8198, | |||
| DNSSEC-validated Cache", draft-ietf-dnsop-nsec- | July 2017, <https://www.rfc-editor.org/info/rfc8198>. | |||
| aggressiveuse-10 (work in progress), May 2017. | ||||
| [I-D.ietf-dnsop-sutld-ps] | [RFC8244] Lemon, T., Droms, R., and W. Kumari, "Special-Use Domain | |||
| Lemon, T., Droms, R., and W. Kumari, "Special-Use Domain | Names Problem Statement", RFC 8244, DOI 10.17487/RFC8244, | |||
| Names Problem Statement", draft-ietf-dnsop-sutld-ps-08 | October 2017, <https://www.rfc-editor.org/info/rfc8244>. | |||
| (work in progress), August 2017. | ||||
| Appendix A. Changes / Author Notes. | Appendix A. Changes / Author Notes. | |||
| [RFC Editor: Please remove this section before publication ] | [RFC Editor: Please remove this section before publication ] | |||
| From -08 to -12: | ||||
| o Just bumping versions to prevent expiration. | ||||
| o Updated references (aggressive-nsec is now RFC 8198, draft-ietf- | ||||
| dnsop-sutld-ps is now 8244). | ||||
| From -07 to -08: | From -07 to -08: | |||
| o Made it clear that this is only for non-DNS. | o Made it clear that this is only for non-DNS. | |||
| o As per Interim consensus, removed the "add this to local zones" | o As per Interim consensus, removed the "add this to local zones" | |||
| text. | text. | |||
| o Added a Privacy Considerations section | o Added a Privacy Considerations section | |||
| o Grammar fix -- "alternative" is more correct than "alternate", | o Grammar fix -- "alternative" is more correct than "alternate", | |||
| End of changes. 10 change blocks. | ||||
| 26 lines changed or deleted | 26 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||