idnits 2.17.1 draft-ietf-dnsop-alt-tld-05.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 2 instances of lines with non-RFC2606-compliant FQDNs in the document. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (September 12, 2016) is 2783 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- No issues found here. Summary: 0 errors (**), 0 flaws (~~), 2 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 dnsop W. Kumari 3 Internet-Draft Google 4 Intended status: Informational A. Sullivan 5 Expires: March 16, 2017 Dyn 6 September 12, 2016 8 The ALT Special Use Top Level Domain 9 draft-ietf-dnsop-alt-tld-05 11 Abstract 13 This document reserves a string (ALT) to be used as a TLD label in 14 non-DNS contexts or for names that have no meaning in a global 15 context. It also provides advice and guidance to developers 16 developing alternate namespaces. 18 [ Ed note: This document lives in GitHub at: 19 https://github.com/wkumari/draft-wkumari-dnsop-alt-tld . Issues and 20 pull requests happily accepted. ] 22 [ Question for Working Group. It has been proposed that the string 23 .ALT should be replaced with something else e.g. .NOT-DNS. As naming 24 discussions in the IETF are always short, simple, and not 25 controversial, we figured we should open these for discussion now. 26 We would appreciate clear feedback on preference and rationale. ] 28 Status of This Memo 30 This Internet-Draft is submitted in full conformance with the 31 provisions of BCP 78 and BCP 79. 33 Internet-Drafts are working documents of the Internet Engineering 34 Task Force (IETF). Note that other groups may also distribute 35 working documents as Internet-Drafts. The list of current Internet- 36 Drafts is at http://datatracker.ietf.org/drafts/current/. 38 Internet-Drafts are draft documents valid for a maximum of six months 39 and may be updated, replaced, or obsoleted by other documents at any 40 time. It is inappropriate to use Internet-Drafts as reference 41 material or to cite them other than as "work in progress." 43 This Internet-Draft will expire on March 16, 2017. 45 Copyright Notice 47 Copyright (c) 2016 IETF Trust and the persons identified as the 48 document authors. All rights reserved. 50 This document is subject to BCP 78 and the IETF Trust's Legal 51 Provisions Relating to IETF Documents 52 (http://trustee.ietf.org/license-info) in effect on the date of 53 publication of this document. Please review these documents 54 carefully, as they describe your rights and restrictions with respect 55 to this document. Code Components extracted from this document must 56 include Simplified BSD License text as described in Section 4.e of 57 the Trust Legal Provisions and are provided without warranty as 58 described in the Simplified BSD License. 60 Table of Contents 62 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 63 1.1. Requirements notation . . . . . . . . . . . . . . . . . . 3 64 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 65 2. Background . . . . . . . . . . . . . . . . . . . . . . . . . 3 66 3. The ALT namespace . . . . . . . . . . . . . . . . . . . . . . 4 67 3.1. Choice of the ALT Name . . . . . . . . . . . . . . . . . 5 68 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 69 4.1. Domain Name Reservation Considerations . . . . . . . . . 6 70 5. Security Considerations . . . . . . . . . . . . . . . . . . . 7 71 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8 72 7. Normative References . . . . . . . . . . . . . . . . . . . . 8 73 Appendix A. Changes / Author Notes. . . . . . . . . . . . . . . 8 74 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10 76 1. Introduction 78 Many protocols and systems need to name entities. Names that look 79 like DNS names (a series of labels separated with dots) have become 80 common, even in systems that are not part of the global DNS 81 administered by IANA. 83 This document provides a solution that may, in many cases, be more 84 appropriate than [RFC6761]. 86 This document reserves the label "ALT" (short for "Alternate") as a 87 Special Use Domain ([RFC6761]). This label is intended to be used as 88 the final (rightmost) label to signify that the name is not rooted in 89 the DNS, and that normal registration and lookup rules do not apply. 91 1.1. Requirements notation 93 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 94 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 95 document are to be interpreted as described in [RFC2119]. 97 1.2. Terminology 99 This document assumes familiarity with DNS terms and concepts. 100 Please see [RFC1034] for background and concepts, and 101 [I-D.ietf-dnsop-dns-terminology] for terminology. 103 o DNS name: Domain names that are intended to be used with DNS 104 resolution, either in the global DNS or in some other context 106 o DNS context: The namespace anchored at the globally-unique DNS 107 root. This is the namespace or context that "normal" DNS uses. 109 o non-DNS context: Any other (alternate) namespace. 111 o pseudo-TLD: A label that appears in a fully-qualified domain name 112 in the position of a TLD, but which is not registered in the 113 global DNS. 115 o TLD: The last visible label in either a fully-qualified domain 116 name or a name that is qualified relative to the root. See the 117 discussion in Section 2. 119 2. Background 121 The DNS data model is based on a tree structure, and has a single 122 root. Conventionally, a name immediately beneath the root is called 123 a "Top Level Domain" or "TLD". TLDs usually delegate portions of 124 their namespace to others, who may then delegate further. The 125 hierarchical, distributed and caching nature of the DNS has made it 126 the primary resolution system on the Internet. 128 Domain names are terminated by a zero-length label, so the root label 129 is normally invisible. Truly fully-qualified names indicate the root 130 label explicitly, thus: "an.example.tld.". Most of the time, names 131 are written implicitly relative to the root, thus: "an.example.tld". 132 In both of these cases, the TLD is the last label that is visible in 133 presentation format -- in this example, the string "tld". (This 134 little bit of pedantry is here because, in different contexts, people 135 can use the term "fully-qualified domain name" to refer to either of 136 these uses.) It is worth noting that the root label is present in 137 the on-wire format of fully-qualified domain names, even if not 138 displayed in the presentation form. 140 The success of the DNS makes it a natural starting point for systems 141 that need to name entities in a non-DNS context, or that have no 142 unique meaning in a global context. These name resolutions, 143 therefore, occur in a namespace distinct from the DNS. 145 In many cases, these systems build a DNS-style tree parallel to, but 146 separate from, the global DNS. They often use a pseudo-TLD to cause 147 resolution in the alternate namespace, using browser plugins, shims 148 in the name resolution process, or simply applications that perform 149 special handling of this particular alternate namespace. 151 In many cases, the creators of these alternate namespaces have chosen 152 a convenient or descriptive string and started using it. These new 153 strings are "alternate" strings and are not registered anywhere or 154 part of the DNS. However they appear to users and to some 155 applications to be TLDs. Issues may arise if they are looked up in 156 the DNS. These include: 158 o User confusion: If someone emails a link of the form 159 foo.bar.pseudo-TLD to someone who does not have the necessary 160 software to resolve names in the pseudo-TLD namespace, the name 161 will not resolve and the user may become confused. 163 o Excess traffic hitting the DNS root: Lookups leak out of the 164 pseudo-TLD namespace and end up hitting the DNS root nameservers. 166 o Collisions: If the pseudo-TLD is eventually delegated from the 167 root zone, the lookup behavior will change in a non-deterministic 168 fashion. 170 o Lack of success for the user's original goal. 172 An alternate name resolution system might be specifically designed to 173 provide confidentiality of the looked up name, and to provide a 174 distributed and censorship-resistant namespace. This goal would 175 necessarily be defeated if the queries leak into the DNS, because the 176 attempt to look up the name would be visible at least to the 177 operators of root name servers and to any entity viewing the DNS 178 lookups going to the root nameservers. 180 3. The ALT namespace 182 In order to avoid the above issues, we reserve the ALT label. Unless 183 the name desired is globally unique, has meaning on the global 184 context and is delegated in the DNS, it should be considered an 185 alternate namespace, and follow the ALT label scheme outlined below. 186 The ALT label MAY be used in any domain name as a pseudo-TLD to 187 signify that this is an alternate (non-DNS) namespace. 189 Alternate namespaces should differentiate themselves from other 190 alternate namespaces by choosing a name and using it in the label 191 position just before the pseudo-TLD (ALT). For example, a group 192 wishing to create a namespace for Friends Of Olaf might choose the 193 string "foo" and use any set of labels under foo.alt. 195 As they are in an alternate namespace, they have no significance in 196 the regular DNS context and so should not be looked up in the DNS 197 context. Some of these requests will inevitably leak into the DNS 198 context (for example, because clicks on a link in a browser that does 199 not have a extension installed that implements the alternate 200 namespace resolution), and so the ALT TLD has been added to the 201 "Locally Served DNS Zones" ( [RFC6303]) registry to limit how far 202 these flow. 204 Groups wishing to create new alternate namespaces SHOULD create their 205 alternate namespace under a label that names their namespace, and 206 under the ALT label. They SHOULD choose a label that they expect to 207 be unique and, ideally, descriptive. There is no IANA controlled 208 registry for names under the ALT TLD - it is an unmanaged namespace, 209 and developers are responsible for dealing with any collisions that 210 may occur under .alt. Informal lists of namespaces under .alt may 211 appear to assist the developer community. 213 [Editor note (to be removed before publication): There was 214 significant discussion on an IANA registry for the ALT namespace - 215 please consult the lists for full thread, but the consensus seems to 216 be that it would be better for the IETF / IANA to not administer a 217 registry for this. It is expected one or more unofficial lists will 218 be created where people can list the strings that they are using. ] 220 Currently deployed projects and protocols that are using pseudo-TLDs 221 may decide to move under the ALT TLD, but this is not a requirement. 222 Rather, the ALT TLD is being reserved so that current and future 223 projects of a similar nature have a designated place to create 224 alternate resolution namespaces that will not conflict with the 225 regular DNS context. 227 3.1. Choice of the ALT Name 229 A number of names other than "ALT" were considered and discarded. In 230 order for this technique to be effective the names need to continue 231 to follow both the DNS format and conventions (a prime consideration 232 for alternate name formats is that they can be entered in places that 233 normally take DNS context names); this rules out using suffixes that 234 do not follow the usual letter, digit, and hyphen label convention. 236 Another proposal was that the ALT TLD instead be a reservation under 237 .arpa. This was considered, but rejected for several reasons, 238 including: 240 1. We wished this to make it clear that this is not in the DNS 241 context, and .arpa clearly is. 243 2. The use of the string .alt is intended to evoke the alt.* 244 hierarchy in Usenet. 246 3. We wanted the string to be short and easily used. 248 4. A name underneath .arpa would consume at least five additional 249 octets of the total 255 octets available in domain names, which 250 could put pressure on applications that need long machine- 251 generated names. 253 5. We are suggesting that the string "ALT" get special treatment in 254 resolvers, and shim software. We are concerned that using 255 subdomains of an existing TLD (like .arpa) might end up with bad 256 implementations misconfiguring / overriding the TLD itself and 257 breaking .arpa. 259 There is a concern that if there were placed under .arpa, 260 inexperienced nameserver operators may inadvertently cover .arpa. A 261 more significant concern is that the scope of the issue if the query 262 does leak, and the fact that this would then make the root of the 263 alternate naming namespace a third level domain, and not a second 264 one. A project may be willing to have a name of the form 265 example.alt, but example.alt.arpa may be not look as good. 267 4. IANA Considerations 269 The IANA is requested to add the ALT string to the "Special-Use 270 Domain Name" registry ([RFC6761], and reference this document. In 271 addition, the "Locally Served DNS Zones" ([RFC6303]) registry should 272 be updated to reference this document. 274 4.1. Domain Name Reservation Considerations 276 This section is to satisfy the requirement in Section 5 of RFC6761. 278 The domain "alt.", and any names falling within ".alt.", are special 279 in the following ways: 281 1. Human users are expected to know that strings that end in .alt 282 behave differently to normal DNS names. Users are expected to 283 have applications running on their machines that intercept 284 strings of the form .alt and perform special handing 285 of them. If the user tries to resolve a name of the form 286 .alt without the plugin installed, the 287 request will leak into the DNS, and receive a negative response. 289 2. Writers of application software that implement a non-DNS 290 namespace are expected to intercept names of the form 291 .alt and perform application specific handing with 292 them. Other applications are not intended to perform any special 293 handing. 295 3. In general, writers of name resolution APIs and libraries do not 296 need to perform special handing of these names. If developers of 297 other namespaces implement their namespace through a "shim" or 298 library, they will need to intercept and perform their own 299 handling. 301 4. Caching DNS servers SHOULD recognize these names as special and 302 SHOULD NOT, by default, attempt to look up NS records for them, 303 or otherwise query authoritative DNS servers in an attempt to 304 resolve these names. Instead, caching DNS servers SHOULD 305 generate immediate negative responses for all such queries. 307 5. Authoritative DNS servers SHOULD recognize these names as special 308 and SHOULD, by default, generate immediate negative responses for 309 all such queries, unless explicitly configured by the 310 administrator to give positive answers for private-address 311 reverse-mapping names. 313 6. DNS server operators SHOULD be aware that queries for names 314 ending in .alt are not DNS names, and were leaked into the DNS 315 context (for example, by a missing browser plugin). This 316 information may be useful for support or debugging purposes. 318 7. DNS Registries/Registrars MUST NOT grant requests to register 319 "alt" names in the normal way to any person or entity. These 320 "alt" names are defined by protocol specification to be 321 nonexistent, and they fall outside the set of names available for 322 allocation by registries/registrars. 324 5. Security Considerations 326 One of the motivations for the creation of the alt pseudo-TLD is that 327 unmanaged labels in the managed root name space are subject to 328 unexpected takeover if the manager of the root name space decides to 329 delegate the unmanaged label. 331 The unmanaged and "registration not required" nature of labels 332 beneath .alt provides the opportunity for an attacker to re-use the 333 chosen label and thereby possibly compromise applications dependent 334 on the special host name. 336 6. Acknowledgements 338 We would also like to thank Joe Abley, Mark Andrews, Marc Blanchet, 339 John Bond, Stephane Bortzmeyer, David Cake, David Conrad, Patrik 340 Faltstrom, Olafur Gudmundsson, Paul Hoffman, Joel Jaeggli, Ted Lemon, 341 Edward Lewis, George Michaelson, Ed Pascoe, Arturo Servin, and Paul 342 Vixie for feedback. 344 7. Normative References 346 [I-D.ietf-dnsop-dns-terminology] 347 Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS 348 Terminology", draft-ietf-dnsop-dns-terminology-05 (work in 349 progress), September 2015. 351 [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", 352 STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987, 353 . 355 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 356 Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/ 357 RFC2119, March 1997, 358 . 360 [RFC6303] Andrews, M., "Locally Served DNS Zones", BCP 163, RFC 361 6303, DOI 10.17487/RFC6303, July 2011, 362 . 364 [RFC6761] Cheshire, S. and M. Krochmal, "Special-Use Domain Names", 365 RFC 6761, DOI 10.17487/RFC6761, February 2013, 366 . 368 Appendix A. Changes / Author Notes. 370 [RFC Editor: Please remove this section before publication ] 372 From -04 to -05: 374 o Version bump - we are waiting in the queue for progress on SUN, 375 bumping this to keep it alive. 377 From -03 to -04: 379 o 3 changes - the day, the month and the year (a bump to keep 380 alive). 382 From -02 to -03: 384 o Incorporate suggestions from Stephane and Paul Hoffman. 386 From -01 to -02: 388 o Merged a bunch of changes from Paul Hoffman. Thanks for sending a 389 git pull. 391 From -00 to 01: 393 o Removed the "delegated to new style AS112 servers" text -this was 394 legacy from the omnicient AS112 days. (Joe Abley) 396 o Removed the "Advice to implemntors" section. This used to 397 recommend that people used a subdomain of a domain in the DNS. It 398 was pointed out that this breaks things badly if the domain 399 expires. 401 o Added text about why we don't want to adminster a registry for 402 ALT. 404 From Individual-06 to DNSOP-00 406 o Nothing changed, simply renamed draft-wkumari-dnsop-alt-tld to 407 draft-ietf-dnsop-alt-tld 409 From -05 to -06 411 o Incorporated comments from a number of people, including a number 412 of suggestion heard at the IETF meeting in Dallas, and the DNSOP 413 Interim meeting in May, 2015. 415 o Removed the "Let's have an (optional) IANA registry for people to 416 (opportinistically) register their string, if they want that 417 option" stuff. It was, um, optional.... 419 From -04 to -05 421 o Went through and made sure that I'd captured the feedback 422 received. 424 o Comments from Ed Lewis. 426 o Filled in the "Domain Name Reservation Considerations" section of 427 RFC6761. 429 o Removed examples from .Onion. 431 From -03 to -04 433 o Incorporated some comments from Paul Hoffman 435 From -02 to -03 437 o After discussions with chairs, made this much more generic (not 438 purely non-DNS), and some cleanup. 440 From -01 to -02 442 o Removed some fluffy wording, tightened up the language some. 444 From -00 to -01. 446 o Fixed the abstract. 448 o Recommended that folk root their non-DNS namespace under a DNS 449 namespace that they control (Joe Abley) 451 Authors' Addresses 453 Warren Kumari 454 Google 455 1600 Amphitheatre Parkway 456 Mountain View, CA 94043 457 US 459 Email: warren@kumari.net 461 Andrew Sullivan 462 Dyn 463 150 Dow Street 464 Manchester, NH 03101 465 US 467 Email: asullivan@dyn.com