idnits 2.17.1 draft-bortzmeyer-dname-root-05.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The abstract seems to contain references ([1]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. == There are 3 instances of lines with non-RFC2606-compliant FQDNs in the document. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (January 17, 2018) is 2285 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Looks like a reference, but probably isn't: '1' on line 328 -- Looks like a reference, but probably isn't: '2' on line 330 -- Looks like a reference, but probably isn't: '3' on line 333 -- Looks like a reference, but probably isn't: '4' on line 336 ** Downref: Normative reference to an Informational RFC: RFC 7534 ** Downref: Normative reference to an Informational RFC: RFC 7535 ** Obsolete normative reference: RFC 7719 (Obsoleted by RFC 8499) == Outdated reference: A later version (-02) exists of draft-bortzmeyer-regext-epp-dname-01 Summary: 4 errors (**), 0 flaws (~~), 3 warnings (==), 5 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group S. Bortzmeyer 3 Internet-Draft AFNIC 4 Intended status: Standards Track January 17, 2018 5 Expires: July 21, 2018 7 Using DNAME in the DNS root zone for sinking of special-use TLDs 8 draft-bortzmeyer-dname-root-05 10 Abstract 12 This documents asks IANA to add DNAME records in the DNS root zone 13 for TLDs which are in the Special-Use Domain Names registry, in order 14 to ensure they receive an appropriate reply (NXDOMAIN) and that the 15 root nameservers are not too bothered by them. 17 REMOVE BEFORE PUBLICATION: there is no obvious place to discuss this 18 document. May be the IETF DNSOP (DNS Operations) group, through its 19 mailing list (the author reads it). Or may AS112 operators mailing 20 lists? The source of the document, as well as a list of open issues, 21 is currently kept at Github [1]. 23 Status of This Memo 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF). Note that other groups may also distribute 30 working documents as Internet-Drafts. The list of current Internet- 31 Drafts is at https://datatracker.ietf.org/drafts/current/. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 This Internet-Draft will expire on July 21, 2018. 40 Copyright Notice 42 Copyright (c) 2018 IETF Trust and the persons identified as the 43 document authors. All rights reserved. 45 This document is subject to BCP 78 and the IETF Trust's Legal 46 Provisions Relating to IETF Documents 47 (https://trustee.ietf.org/license-info) in effect on the date of 48 publication of this document. Please review these documents 49 carefully, as they describe your rights and restrictions with respect 50 to this document. Code Components extracted from this document must 51 include Simplified BSD License text as described in Section 4.e of 52 the Trust Legal Provisions and are provided without warranty as 53 described in the Simplified BSD License. 55 Table of Contents 57 1. Introduction and background . . . . . . . . . . . . . . . . . 2 58 1.1. Requirements Terminology . . . . . . . . . . . . . . . . 2 59 2. Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 60 3. Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . 3 61 4. Possible issues . . . . . . . . . . . . . . . . . . . . . . . 3 62 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4 63 6. Security Considerations . . . . . . . . . . . . . . . . . . . 5 64 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 5 65 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 5 66 8.1. Normative References . . . . . . . . . . . . . . . . . . 5 67 8.2. Informative References . . . . . . . . . . . . . . . . . 6 68 8.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 7 69 Appendix A. Alternative without DNAME in the root . . . . . . . 8 70 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 8 72 1. Introduction and background 74 The DNS root nameservers receive a lot of requests for TLDs which do 75 not exist. See for instance [fujiwara-root-traffic] or 76 [icann-l-root-stats] or [ssac-045]. In the spirit of [RFC7534], it 77 would be good if they could be redirected to a sink such as AS112, to 78 save root nameservers's resources. 80 Some of these names, and specially one of the biggest offenders, 81 .local ([RFC6762]), are registered in the Special-Use Domain Names 82 registry [2] of [RFC6761]. They are obvious candidates for a 83 "delegation" to the sink. 85 It is proposed to use the new AS112, the one described by [RFC7535] 86 to implement this sink. 88 1.1. Requirements Terminology 90 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 91 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 92 document are to be interpreted as described in [RFC2119]. 94 2. Rules 96 Every TLD ([RFC7719], section 2) which is in the Special-Use Domain 97 Names registry [3] ([RFC6761]) SHOULD be "delegated" by IANA through 98 a DNAME ([RFC6672]) to empty.as112.arpa as described in [RFC7535] if 99 and only if the registration of this TLD say that resolvers SHOULD 100 NOT or MUST NOT look them up in the DNS. 102 It is important to notice that this document does not define a policy 103 to decide if a TLD should be "delegated" or not. Instead, it relies 104 on the existing Special-Use Domain Names registry and its rules. 106 RFC-EDITOR: remove before publication. As of today, with these 107 rules, .local ([RFC6762]) or .onion ([RFC7686]) would be "delegated" 108 but not .example (its registration in [RFC6761] does not define 109 special handling for resolvers) or .home ([RFC7788]) or .belkin (this 110 last one generates a huge traffic at the root nameservers but is not 111 in the Special-Use Domain Names registry). 113 3. Benefits 115 The main benefit is less load on the root nameservers and a better 116 efficiency of the caches, therefore helping the entire DNS ecosystem. 118 4. Possible issues 120 Of course, the solution described in this document requires a good 121 support of DNAME by the resolvers. Appendix A of [RFC7535] describes 122 an experiment which was run in 2013 and which shows that, indeed, we 123 can rely on DNAME (quoting the authors: "We conclude that there is no 124 evidence of a consistent failure on the part of deployed DNS 125 resolvers to correctly resolve a DNAME construct."). The technical 126 tests documented in [damas-dname] have the same conclusion: DNAMEs 127 work fine. 129 Currently, the root is managed both by ICANN and by Verisign, with an 130 EPP link between them (see [iana-update]). There is no EPP mapping 131 for DNAME "delegations", [RFC5731] does not envision this case. A 132 project is under way, to create a new EPP extension for DNAME 133 "delegation", see [I-D.bortzmeyer-regext-epp-dname]. Of course, it 134 is expected that this small technical problem is of little importance 135 compared with the "Internet governance" problem of having ICANN 136 allowing such DNAMEs (see Section 5). 138 Because DNAME require additional processing by the authoritative 139 servers ([RFC6672], section 3.2), root name servers operators may 140 estimate that it will add an unknown risk for them (at least, it will 141 be more work for the server). 143 What could be the expected "saving" of resources by this 144 "delegation"? Well-behaved resolvers should cache the NXDOMAIN 145 (negative caching duration in the root zone is currently one day) but 146 this covers only the requested name, not the whole TLD (until 147 [RFC8020] is widely deployed and it would only partially solved the 148 issue). There is also a concern that the requests for these non- 149 existing TLDs are not issued by "proper" systems (because they are 150 supposed to never leave the local network). If these requests are 151 sent by badly programmed or badly configured systems, can we be sure 152 they will honor the "delegation" and the caching? To summarise, it 153 would be interesting to design and conduct an experiment to measure 154 the expected effect. Ideas are welcome (the most obvious one, 155 running a "delegation" during a moment then deleting it and comparing 156 the results, is difficult to foresee, for political reasons). 158 To be sure AS112 could handle the load, AS 112 operators were 159 consulted and expressed no objection. 161 Regarding DNSSEC, do note the future DNAMEs in the root zone will be 162 signed, but the target, empty.as112.arpa, is not. See George 163 Michaelson's message [4]. So, it will not be possible to validate 164 the answers. Not a problem since these requests should never have 165 been sent to the root nameservers, anyway. 167 RFC-EDITOR: remove before publication. As of today, it exists 168 apparently five nodes in the new AS112. There is no "official" 169 "delegation" to it. Do note that, as a consequence of the new AS122 170 structure, it is not possible to see how many unofficial 171 "delegations" exist (to see an example, see sink.bortzmeyer.fr). 173 5. IANA Considerations 175 IANA is directed to add a DNAME in the root zone for every TLD which 176 fits the rules of Section 2. 178 RFC-EDITOR: remove before publication. There is currently no DNAME 179 in the root zone. It is expected that the creation of the first one 180 will require a top-down, multi-stakeholder, long and complicated 181 process with a lot of meetings, reports by consultants and design 182 teams. We already have one short mention of this possibility in 183 [ssac-009], then one decision by ICANN [icann-idn-dname] to study the 184 matter and one technical report made after that decision 185 [damas-dname] ("This report found no failure in resolution nor in the 186 ability to perform DNSSEC validation when DNAME was used in the root 187 zone.") 189 TODO: if DNAMEs in the "real" root zone are delayed, is it possible/ 190 realistic for IANA to create an experimental root zone containing the 191 new AS112 "delegations", so that roots like Yeti could publish it and 192 test it? 194 REMOVE BEFORE PUBLICATION: there are today TLDs with a DNAME at their 195 apex (not the same thing): xn--kprw13d and xn--mgba3a4f16a. 197 6. Security Considerations 199 The requests for the TLD in the Special-Use Domain Names registry are 200 typically NOT supposed to leak to the authoritative public name 201 servers such as the ones of the root zone. If they do, it means a 202 misconfiguration somewhere. The leak is independant on whether the 203 name is "delegated" to AS112 or not. See section 8 of [RFC7534] for 204 an analysis. 206 Nevertheless, privacy considerations have to be taken into account. 207 Some people believe there are added risks, because the queries will 208 be seen by AS112 servers which, unlike the root nameservers, are 209 managed by many "random people". This means that population of 210 people who can see the query streams is increased from the set of 211 root nameserver operators and people that they share data with, to 212 potentially anybody. There's no defence against a malefactor 213 hijacking AS112 traffic, because in a real sense that traffic is 214 intended to be hijacked. 216 7. Acknowledgments 218 Thanks to Paul Hoffman to say that it may be a good idea, for Patrik 219 Faltstrom for documentation and research, for Joe Abley for tough 220 proofreading and many suggestions, and for Ted Lemon to give the 221 final impulse, with his [RFC8244]. 223 8. References 225 8.1. Normative References 227 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 228 Requirement Levels", BCP 14, RFC 2119, 229 DOI 10.17487/RFC2119, March 1997, 230 . 232 [RFC6672] Rose, S. and W. Wijngaards, "DNAME Redirection in the 233 DNS", RFC 6672, DOI 10.17487/RFC6672, June 2012, 234 . 236 [RFC6761] Cheshire, S. and M. Krochmal, "Special-Use Domain Names", 237 RFC 6761, DOI 10.17487/RFC6761, February 2013, 238 . 240 [RFC7534] Abley, J. and W. Sotomayor, "AS112 Nameserver Operations", 241 RFC 7534, DOI 10.17487/RFC7534, May 2015, 242 . 244 [RFC7535] Abley, J., Dickson, B., Kumari, W., and G. Michaelson, 245 "AS112 Redirection Using DNAME", RFC 7535, 246 DOI 10.17487/RFC7535, May 2015, 247 . 249 [RFC7719] Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS 250 Terminology", RFC 7719, DOI 10.17487/RFC7719, December 251 2015, . 253 8.2. Informative References 255 [damas-dname] 256 Damas, J., "Report on the Assessment of Security and 257 Stability Implications of the Use of DNAME Resource 258 Records in the Root Zone of the DNS", May 2011, 259 . 261 [fujiwara-root-traffic] 262 Fujiwara, K., "2014 Root DITL Data analysis and TLD 263 popularity analysis (OARC workshop)", October 2014, 264 . 268 [I-D.bortzmeyer-regext-epp-dname] 269 Bortzmeyer, S., "EPP Mapping for DNAME delegation of 270 domain names", draft-bortzmeyer-regext-epp-dname-01 (work 271 in progress), January 2018. 273 [iana-update] 274 Davies, K., "Update on IANA", October 2009, 275 . 279 [icann-idn-dname] 280 ICANN, "Adopted Board Resolutions - IDN Variants", March 281 2010, . 284 [icann-l-root-stats] 285 "QTYPE values for most popular TLDs (ICANN's L-root server 286 public statistics)", April 2016, 287 . 289 [RFC5731] Hollenbeck, S., "Extensible Provisioning Protocol (EPP) 290 Domain Name Mapping", STD 69, RFC 5731, 291 DOI 10.17487/RFC5731, August 2009, 292 . 294 [RFC6762] Cheshire, S. and M. Krochmal, "Multicast DNS", RFC 6762, 295 DOI 10.17487/RFC6762, February 2013, 296 . 298 [RFC7686] Appelbaum, J. and A. Muffett, "The ".onion" Special-Use 299 Domain Name", RFC 7686, DOI 10.17487/RFC7686, October 300 2015, . 302 [RFC7788] Stenberg, M., Barth, S., and P. Pfister, "Home Networking 303 Control Protocol", RFC 7788, DOI 10.17487/RFC7788, April 304 2016, . 306 [RFC8020] Bortzmeyer, S. and S. Huque, "NXDOMAIN: There Really Is 307 Nothing Underneath", RFC 8020, DOI 10.17487/RFC8020, 308 November 2016, . 310 [RFC8244] Lemon, T., Droms, R., and W. Kumari, "Special-Use Domain 311 Names Problem Statement", RFC 8244, DOI 10.17487/RFC8244, 312 October 2017, . 314 [ssac-009] 315 ICANN, "SAC 009 - Alternative TLD Name Systems and Roots: 316 Conflict, Control and Consequences", March 2006, 317 . 320 [ssac-045] 321 ICANN, "SAC 045 - Invalid Top Level Domain Queries at the 322 Root Level of the Domain Name System", November 2010, 323 . 326 8.3. URIs 328 [1] https://github.com/bortzmeyer/ietf-dname-root 330 [2] http://www.iana.org/assignments/special-use-domain-names/special- 331 use-domain-names.xml 333 [3] http://www.iana.org/assignments/special-use-domain-names/special- 334 use-domain-names.xml 336 [4] https://mailarchive.ietf.org/arch/msg/dnsop/ 337 JsPNz66aQE3-r3toawCV_ajoCNo 339 Appendix A. Alternative without DNAME in the root 341 This alternative was drafted by John Levine. It works without adding 342 DNAME records in the root zone, which solves some of the issues noted 343 in Section 4 and Section 5, but it requires new IANA work: setting up 344 new zones (and it still requires changes in the root zone). 346 To delegate, say, .onion: 348 onion. NS a.iana-servers.net. 349 onion. NS b.iana-servers.net. 350 onion. NS c.iana-servers.net. 352 And, in the tiny zone file hosted at *.iana-servers.net: 354 onion. SOA whatever 355 onion. NS a.iana-servers.net. 356 onion. NS b.iana-servers.net. 357 onion. NS c.iana-servers.net. 358 onion. DNAME empty.as112.arpa. 360 It does not have exactly the same result as the main proposal, since 361 a DNAME record works only for names under it, not for the owner name 362 itself. 364 Author's Address 366 Stephane Bortzmeyer 367 AFNIC 368 1, rue Stephenson 369 Montigny-le-Bretonneux 78180 370 France 372 Phone: +33 1 39 30 83 46 373 Email: bortzmeyer+ietf@nic.fr 374 URI: http://www.afnic.fr/