idnits 2.17.00 (12 Aug 2021) /tmp/idnits33890/draft-ietf-dnsop-alt-tld-07.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (February 1, 2017) is 1935 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- ** Obsolete normative reference: RFC 7719 (Obsoleted by RFC 8499) == Outdated reference: draft-ietf-dnsop-sutld-ps has been published as RFC 8244 Summary: 1 error (**), 0 flaws (~~), 2 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 dnsop W. Kumari 3 Internet-Draft Google 4 Intended status: Informational A. Sullivan 5 Expires: August 5, 2017 Dyn 6 February 1, 2017 8 The ALT Special Use Top Level Domain 9 draft-ietf-dnsop-alt-tld-07 11 Abstract 13 This document reserves a string (ALT) to be used as a TLD label in 14 non-DNS contexts, or for names that have no meaning in a global 15 context. It also provides advice and guidance to developers 16 developing alternate namespaces. 18 [Ed note: Text inside square brackets ([]) is additional background 19 information, answers to frequently asked questions, general musings, 20 etc. They will be removed before publication.This document is being 21 collaborated on in Github at: https://github.com/wkumari/draft- 22 wkumari-dnsop-alt-tld. The most recent version of the document, open 23 issues, etc should all be available here. The authors (gratefully) 24 accept pull requests. NOTE: This document is currently a parked WG 25 document -- as such, all changes are being handled in GitHub and a 26 new version will be posted once unparked. 28 It had been suggested (off-list) that the draft should contain 29 instead of .ALT, and then make the WG choose a string before 30 publication. A version of the draft like this was published on 31 GitHub (https://github.com/wkumari/draft-wkumari-dnsop-alt-tld/ 32 tree/7988fcf06100f7a17f21e6993b781690b5774472) (and generated no 33 feedback). This version reverts to .ALT -- the chairs stated that 34 the document was adopted with the string .alt, it has been discussed 35 as .alt. IMO, it is more readable as .alt; it would also be a 36 difficult consensus call, boiling down to beauty contests. If the WG 37 selects a different string ("not-dns" had been suggested in the 38 past), the editors will, of course, replace it. ] 40 Status of This Memo 42 This Internet-Draft is submitted in full conformance with the 43 provisions of BCP 78 and BCP 79. 45 Internet-Drafts are working documents of the Internet Engineering 46 Task Force (IETF). Note that other groups may also distribute 47 working documents as Internet-Drafts. The list of current Internet- 48 Drafts is at http://datatracker.ietf.org/drafts/current/. 50 Internet-Drafts are draft documents valid for a maximum of six months 51 and may be updated, replaced, or obsoleted by other documents at any 52 time. It is inappropriate to use Internet-Drafts as reference 53 material or to cite them other than as "work in progress." 55 This Internet-Draft will expire on August 5, 2017. 57 Copyright Notice 59 Copyright (c) 2017 IETF Trust and the persons identified as the 60 document authors. All rights reserved. 62 This document is subject to BCP 78 and the IETF Trust's Legal 63 Provisions Relating to IETF Documents 64 (http://trustee.ietf.org/license-info) in effect on the date of 65 publication of this document. Please review these documents 66 carefully, as they describe your rights and restrictions with respect 67 to this document. Code Components extracted from this document must 68 include Simplified BSD License text as described in Section 4.e of 69 the Trust Legal Provisions and are provided without warranty as 70 described in the Simplified BSD License. 72 Table of Contents 74 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 75 1.1. Requirements notation . . . . . . . . . . . . . . . . . . 3 76 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 77 2. Background . . . . . . . . . . . . . . . . . . . . . . . . . 3 78 3. The ALT namespace . . . . . . . . . . . . . . . . . . . . . . 4 79 3.1. Choice of the ALT Name . . . . . . . . . . . . . . . . . 5 80 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 81 4.1. Domain Name Reservation Considerations . . . . . . . . . 5 82 5. Security Considerations . . . . . . . . . . . . . . . . . . . 6 83 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 7 84 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 7 85 7.1. Normative References . . . . . . . . . . . . . . . . . . 7 86 7.2. Informative References . . . . . . . . . . . . . . . . . 7 87 Appendix A. Changes / Author Notes. . . . . . . . . . . . . . . 8 88 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10 90 1. Introduction 92 Many protocols and systems need to name entities. Names that look 93 like DNS names (a series of labels separated with dots) have become 94 common, even in systems that are not part of the global DNS 95 administered by IANA. 97 This document reserves the label "ALT" (short for "Alternate") as a 98 Special Use Domain ([RFC6761]). This label is intended to be used as 99 the final (rightmost) label to signify that the name is not rooted in 100 the DNS, and that normal registration and lookup rules do not apply. 102 1.1. Requirements notation 104 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 105 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 106 document are to be interpreted as described in [RFC2119]. 108 1.2. Terminology 110 This document assumes familiarity with DNS terms and concepts. 111 Please see [RFC1034] for background and concepts, and [RFC7719] for 112 terminology. Readers are also expected to be familiar with the 113 discussions in [I-D.ietf-dnsop-sutld-ps] 115 o DNS name: Domain names that are intended to be used with DNS 116 resolution, either in the global DNS or in some other context 118 o DNS context: The namespace anchored at the globally-unique DNS 119 root. This is the namespace or context that "normal" DNS uses. 121 o non-DNS context: Any other (alternate) namespace. 123 o pseudo-TLD: A label that appears in a fully-qualified domain name 124 in the position of a TLD, but which is not registered in the 125 global DNS. This term is in no way intended to be pejorative. 127 o TLD: The last visible label in either a fully-qualified domain 128 name or a name that is qualified relative to the root. See the 129 discussion in Section 2. 131 2. Background 133 The success of the DNS makes it a natural starting point for systems 134 that need to name entities in a non-DNS context. 136 In many cases, these systems build a DNS-style tree parallel to, but 137 separate from, the global DNS. They often use a pseudo-TLD to cause 138 resolution in the alternate namespace, using browser plugins, shims 139 in the name resolution process, or simply applications that perform 140 special handling of this particular alternate namespace. An example 141 of such a system is the Tor network's [Dingledine2004] use of the 142 ".onion" Special-Use Top-Level Domain Name (see [RFC7686]). 144 In many cases, the creators of these alternative namespaces have 145 chosen a convenient or descriptive string and started using it. 146 These strings are not registered anywhere nor are they part of the 147 DNS. However, to users and to some applications they appear to be 148 TLDs; and issues may arise if they are looked up in the DNS. 150 An alternate name resolution system might be specifically designed to 151 provide confidentiality of the looked up name, and to provide a 152 distributed and censorship-resistant namespace. This goal would 153 necessarily be defeated if the queries leak into the DNS, because the 154 attempt to look up the name would be visible to the operators of root 155 name servers at a minimum as well as to any entity viewing the DNS 156 lookups going to the root nameservers. 158 The techniques in this document are primarily intended to address the 159 "Experimental Squatting Problem", the "Land Rush Problem" and "Name 160 Collisions" issues discussed in [I-D.ietf-dnsop-sutld-ps] (whiich 161 contains much additional background, etc). 163 3. The ALT namespace 165 This document reserves the ALT label, using the [RFC6761] process, 166 for use as an unmanaged pseudo-TLD namespace. The ALT label MAY be 167 used in any domain name as a pseudo-TLD to signify that this is an 168 alternate (non-DNS) namespace, and should not be looked up in a DNS 169 context. 171 Alternative namespaces should differentiate themselves from other 172 alternate namespaces by choosing a name and using it in the label 173 position just before the pseudo-TLD (ALT). For example, a group 174 wishing to create a namespace for Friends Of Olaf might choose the 175 string "foo" and use any set of labels under foo.alt. 177 As they are in an alternative namespace, they have no significance in 178 the regular DNS context and so should not be looked up in the DNS 179 context. Some of these requests will inevitably leak into the DNS 180 context (for example, because of clicks on a link in a browser that 181 does not have a extension installed that implements the alternate 182 namespace resolution), and so the ALT TLD has been added to the 183 "Locally Served DNS Zones" ( [RFC6303]) registry to limit how far 184 these flow. 186 Groups wishing to create new alternate namespaces MAY create their 187 alternate namespace under a label that names their namespace under 188 the ALT label. They SHOULD choose a label that they expect to be 189 unique and, ideally, descriptive. There is no IANA controlled 190 registry for names under the ALT TLD - it is an unmanaged namespace, 191 and developers are responsible for dealing with any collisions that 192 may occur under .alt. Informal lists of namespaces under .alt may 193 appear to assist the developer community. 195 [Editor note (to be removed before publication): There was 196 significant discussion on an IANA registry for the ALT namespace - 197 please consult the lists for full thread, but the consensus was that 198 it would be better for the IETF / IANA to not administer a registry 199 for this. It is expected one or more unofficial lists will be 200 created where people can list the strings that they are using. ] 202 Currently deployed projects and protocols that are using pseudo-TLDs 203 may choose to move under the ALT TLD, but this is not a requirement. 204 Rather, the ALT TLD is being reserved so that current and future 205 projects of a similar nature have a designated place to create 206 alternative resolution namespaces that will not conflict with the 207 regular DNS context. 209 3.1. Choice of the ALT Name 211 A number of names other than "ALT" were considered and discarded. In 212 order for this technique to be effective the names need to continue 213 to follow both the DNS format and conventions (a prime consideration 214 for alternative name formats is that they can be entered in places 215 that normally take DNS context names); this rules out using suffixes 216 that do not follow the usual letter, digit, and hyphen label 217 convention. 219 4. IANA Considerations 221 The IANA is requested to add the ALT string to the "Special-Use 222 Domain Name" registry ([RFC6761], and reference this document. In 223 addition, the "Locally Served DNS Zones" ([RFC6303]) registry should 224 be updated to reference this document. 226 4.1. Domain Name Reservation Considerations 228 This section is to satisfy the requirement in Section 5 of RFC6761. 230 The domain "alt.", and any names falling within ".alt.", are special 231 in the following ways: 233 1. Human users are expected to know that strings that end in .alt 234 behave differently to normal DNS names. Users are expected to 235 have applications running on their machines that intercept 236 strings of the form .alt and perform special handing 237 of them. If the user tries to resolve a name of the form 238 .alt without the plugin installed, the 239 request will leak into the DNS, and receive a negative response. 241 2. Writers of application software that implement a non-DNS 242 namespace are expected to intercept names of the form 243 .alt and perform application specific handing with 244 them. Other applications are not intended to perform any special 245 handing. 247 3. Writers of name resolution APIs and libraries which operate in 248 the DNS context should not attempt to look these names up in the 249 DNS. If developers of other namespaces implement their namespace 250 through a "shim" or library, they will need to intercept and 251 perform their own handling. 253 4. Caching DNS servers SHOULD recognize these names as special and 254 SHOULD NOT, by default, attempt to look up NS records for them, 255 or otherwise query authoritative DNS servers in an attempt to 256 resolve these names. Instead, caching DNS servers SHOULD 257 generate immediate negative responses for all such queries. 259 5. Authoritative DNS servers SHOULD recognize these names as special 260 and SHOULD, by default, generate immediate negative responses for 261 all such queries, unless explicitly configured by the 262 administrator to give positive answers for private-address 263 reverse-mapping names. 265 6. DNS server operators SHOULD be aware that queries for names 266 ending in .alt are not DNS names, and were leaked into the DNS 267 context (for example, by a missing browser plugin). This 268 information may be useful for support or debugging purposes. 270 7. DNS Registries/Registrars MUST NOT grant requests to register 271 "alt" names in the normal way to any person or entity. These 272 "alt" names are defined by protocol specification to be 273 nonexistent, and they fall outside the set of names available for 274 allocation by registries/registrars. 276 5. Security Considerations 278 One of the motivations for the creation of the .alt pseudo-TLD is 279 that unmanaged labels in the managed root name space are subject to 280 unexpected takeover. This could occur if the manager of the root 281 name space decides to delegate the unmanaged label. Another 282 motivation for implementing the .alt namespace to increase user 283 privacy for those who do use alternate name resolution systems; it 284 would limit how far these queries leak (e.g if used on a system which 285 does not implement the alternate resolution system). 287 The unmanaged and "registration not required" nature of labels 288 beneath .alt provides the opportunity for an attacker to re-use the 289 chosen label and thereby possibly compromise applications dependent 290 on the special host name. 292 6. Acknowledgements 294 We would also like to thank Joe Abley, Mark Andrews, Marc Blanchet, 295 John Bond, Stephane Bortzmeyer, David Cake, David Conrad, Patrik 296 Faltstrom, Olafur Gudmundsson, Bob Harold, Paul Hoffman, Joel 297 Jaeggli, Ted Lemon, Edward Lewis, George Michaelson, Ed Pascoe, 298 Arturo Servin, and Paul Vixie for feedback. 300 Christian Grothoff was also very helpful. 302 7. References 304 7.1. Normative References 306 [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", 307 STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987, 308 . 310 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 311 Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/ 312 RFC2119, March 1997, 313 . 315 [RFC6303] Andrews, M., "Locally Served DNS Zones", BCP 163, RFC 316 6303, DOI 10.17487/RFC6303, July 2011, 317 . 319 [RFC6761] Cheshire, S. and M. Krochmal, "Special-Use Domain Names", 320 RFC 6761, DOI 10.17487/RFC6761, February 2013, 321 . 323 [RFC7686] Appelbaum, J. and A. Muffett, "The ".onion" Special-Use 324 Domain Name", RFC 7686, DOI 10.17487/RFC7686, October 325 2015, . 327 [RFC7719] Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS 328 Terminology", RFC 7719, DOI 10.17487/RFC7719, December 329 2015, . 331 7.2. Informative References 333 [Dingledine2004] 334 Dingledine, R., Mathewson, N., and P. Syverson, "Tor: The 335 Second-Generation Onion Router", , 8 2004, 336 <>. 339 [I-D.ietf-dnsop-sutld-ps] 340 Lemon, T., Droms, R., and W. Kumari, "Special-Use Names 341 Problem Statement", draft-ietf-dnsop-sutld-ps-00 (work in 342 progress), October 2016. 344 Appendix A. Changes / Author Notes. 346 [RFC Editor: Please remove this section before publication ] 348 From -06 to -07: 350 o Rolled up the GItHub releases in to a full release. 352 From -07.2 to -07.3 (GitHub point release): 354 Removed 'sandbox' at Stephane's suggestion - https://www.ietf.org/ 355 mail-archive/web/dnsop/current/msg18495.html 357 Suggested (in 4.1 bullet 3) that DNS libraries ignore these -- Bob 358 Harold - https://mailarchive.ietf.org/arch/msg/dnsop/ 359 a_ruPf8osSzi_hCzCqOxYLXhYoA 361 Added some pointers to the SUTLD document. 363 From -07.1 to -07.2 (Github point release): 365 o Reverted the string (at request of chairs). 367 o Added an editors note explaining the above. 369 o Removed some more background, editorializing, etc. 371 From -06 to -07.1 (https://github.com/wkumari/draft-wkumari-dnsop- 372 alt-tld/tree/7988fcf06100f7a17f21e6993b781690b5774472): 374 o Replaced ALT with at the suggestions of George. 376 From -05 to -06: 378 o Removed a large amount of background - we now have the (adopted) 379 tldr document for that. 381 o Made it clear that pseudo-TLD is not intended to be pejorative. 383 o Tried to make it cleat that this is something people can choose to 384 use - or not. 386 From -04 to -05: 388 o Version bump - we are waiting in the queue for progress on SUN, 389 bumping this to keep it alive. 391 From -03 to -04: 393 o 3 changes - the day, the month and the year (a bump to keep 394 alive). 396 From -02 to -03: 398 o Incorporate suggestions from Stephane and Paul Hoffman. 400 From -01 to -02: 402 o Merged a bunch of changes from Paul Hoffman. Thanks for sending a 403 git pull. 405 From -00 to 01: 407 o Removed the "delegated to new style AS112 servers" text -this was 408 legacy from the omnicient AS112 days. (Joe Abley) 410 o Removed the "Advice to implemntors" section. This used to 411 recommend that people used a subdomain of a domain in the DNS. It 412 was pointed out that this breaks things badly if the domain 413 expires. 415 o Added text about why we don't want to adminster a registry for 416 ALT. 418 From Individual-06 to DNSOP-00 420 o Nothing changed, simply renamed draft-wkumari-dnsop-alt-tld to 421 draft-ietf-dnsop-alt-tld 423 From -05 to -06 425 o Incorporated comments from a number of people, including a number 426 of suggestion heard at the IETF meeting in Dallas, and the DNSOP 427 Interim meeting in May, 2015. 429 o Removed the "Let's have an (optional) IANA registry for people to 430 (opportinistically) register their string, if they want that 431 option" stuff. It was, um, optional.... 433 From -04 to -05 435 o Went through and made sure that I'd captured the feedback 436 received. 438 o Comments from Ed Lewis. 440 o Filled in the "Domain Name Reservation Considerations" section of 441 RFC6761. 443 o Removed examples from .Onion. 445 From -03 to -04 447 o Incorporated some comments from Paul Hoffman 449 From -02 to -03 451 o After discussions with chairs, made this much more generic (not 452 purely non-DNS), and some cleanup. 454 From -01 to -02 456 o Removed some fluffy wording, tightened up the language some. 458 From -00 to -01. 460 o Fixed the abstract. 462 o Recommended that folk root their non-DNS namespace under a DNS 463 namespace that they control (Joe Abley) 465 Authors' Addresses 467 Warren Kumari 468 Google 469 1600 Amphitheatre Parkway 470 Mountain View, CA 94043 471 US 473 Email: warren@kumari.net 474 Andrew Sullivan 475 Dyn 476 150 Dow Street 477 Manchester, NH 03101 478 US 480 Email: asullivan@dyn.com