draft-ietf-dnsop-alt-tld-11.txt   draft-ietf-dnsop-alt-tld-12.txt 
dnsop W. Kumari dnsop W. Kumari
Internet-Draft Google Internet-Draft Google
Intended status: Informational A. Sullivan Intended status: Informational A. Sullivan
Expires: July 13, 2019 Oracle Expires: February 24, 2020 Oracle
January 9, 2019 August 23, 2019
The ALT Special Use Top Level Domain The ALT Special Use Top Level Domain
draft-ietf-dnsop-alt-tld-11 draft-ietf-dnsop-alt-tld-12
Abstract Abstract
This document reserves a string (ALT) to be used as a TLD label in This document reserves a string (ALT) to be used as a TLD label in
non-DNS contexts. It also provides advice and guidance to developers non-DNS contexts. It also provides advice and guidance to developers
developing alternative namespaces. developing alternative namespaces.
[Ed note: Text inside square brackets ([]) is additional background [Ed note: Text inside square brackets ([]) is additional background
information, answers to frequently asked questions, general musings, information, answers to frequently asked questions, general musings,
etc. They will be removed before publication. This document is etc. They will be removed before publication. This document is
skipping to change at page 1, line 41 skipping to change at page 1, line 41
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on July 13, 2019. This Internet-Draft will expire on February 24, 2020.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 10 skipping to change at page 3, line 10
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
1.2. Terminology 1.2. Terminology
This document assumes familiarity with DNS terms and concepts. This document assumes familiarity with DNS terms and concepts.
Please see [RFC1034] for background and concepts, and [RFC7719] for Please see [RFC1034] for background and concepts, and [RFC7719] for
terminology. Readers are also expected to be familiar with the terminology. Readers are also expected to be familiar with the
discussions in [I-D.ietf-dnsop-sutld-ps] discussions in [RFC8244]
o DNS name: Domain names that are intended to be used with DNS o DNS name: Domain names that are intended to be used with DNS
resolution, either in the global DNS or in some other context resolution, either in the global DNS or in some other context
o DNS context: The namespace anchored at the globally-unique DNS o DNS context: The namespace anchored at the globally-unique DNS
root. This is the namespace or context that "normal" DNS uses. root. This is the namespace or context that "normal" DNS uses.
o non-DNS context: Any other (alternative) namespace. o non-DNS context: Any other (alternative) namespace.
o pseudo-TLD: A label that appears in a fully-qualified domain name o pseudo-TLD: A label that appears in a fully-qualified domain name
skipping to change at page 4, line 4 skipping to change at page 4, line 4
These strings are not registered anywhere nor are they part of the These strings are not registered anywhere nor are they part of the
DNS. However, to users and to some applications, they appear to be DNS. However, to users and to some applications, they appear to be
TLDs; and issues may arise if they are looked up in the DNS. This TLDs; and issues may arise if they are looked up in the DNS. This
document suggests that name resolution libraries (stub resolvers) document suggests that name resolution libraries (stub resolvers)
recognize names ending in ".alt" as special, and not attempt to look recognize names ending in ".alt" as special, and not attempt to look
them up using the DNS protocol in order to limit the effects of them up using the DNS protocol in order to limit the effects of
queries accidentally leaking into the DNS. queries accidentally leaking into the DNS.
The techniques in this document are primarily intended to address the The techniques in this document are primarily intended to address the
"Experimental Squatting Problem", the "Land Rush Problem" and "Name "Experimental Squatting Problem", the "Land Rush Problem" and "Name
Collisions" issues discussed in [I-D.ietf-dnsop-sutld-ps] (which Collisions" issues discussed in [RFC8244] (which contains much
contains much additional background, etc). additional background, etc).
3. The ALT namespace 3. The ALT namespace
This document reserves the ALT label, using the [RFC6761] process, This document reserves the ALT label, using the [RFC6761] process,
for use as an unmanaged pseudo-TLD namespace. The ALT label MAY be for use as an unmanaged pseudo-TLD namespace. The ALT label MAY be
used in any domain name as a pseudo-TLD to signify that this is an used in any domain name as a pseudo-TLD to signify that this is an
alternative (non-DNS) namespace, and should not be looked up in a DNS alternative (non-DNS) namespace, and should not be looked up in a DNS
context. context.
Alternative namespaces should differentiate themselves from other Alternative namespaces should differentiate themselves from other
skipping to change at page 6, line 47 skipping to change at page 6, line 47
a DNS name, and so should not attempt to be resolved using the DNS. a DNS name, and so should not attempt to be resolved using the DNS.
Unfortunately, these queries will undoubtedly leak into the DNS - for Unfortunately, these queries will undoubtedly leak into the DNS - for
example, a user may receive an email containing a hostname which example, a user may receive an email containing a hostname which
should be resolved using a specific resolution context (implemented should be resolved using a specific resolution context (implemented
by a specific application or resolution mechanism). If the user does by a specific application or resolution mechanism). If the user does
not have that particular application installed (and their stub not have that particular application installed (and their stub
resolver library has not been updated to ignore queries for names resolver library has not been updated to ignore queries for names
ending in .alt), it is likely that this will instead be resolved ending in .alt), it is likely that this will instead be resolved
using the DNS. This DNS query will likely be sent to the configured using the DNS. This DNS query will likely be sent to the configured
iterative resolver. If this resolver does not have a cache entry for iterative resolver. If this resolver does not have a cache entry for
this name (or, if the resolver implements this name (or, if the resolver implements [RFC8198], a entry for
[I-D.ietf-dnsop-nsec-aggressiveuse], a entry for .alt) this query .alt) this query will likely be sent to the DNS root servers. This
will likely be sent to the DNS root servers. This exposes the exposes the (leaked) query name to the operator of the resolver, the
(leaked) query name to the operator of the resolver, the operator of operator of the queried DNS root server, and anyone watching queries
the queried DNS root server, and anyone watching queries along the along the path. This is a general problem with alternative name
path. This is a general problem with alternative name spaces and not spaces and not confined to names ending in .alt.
confined to names ending in .alt.
6. Security Considerations 6. Security Considerations
One of the motivations for the creation of the .alt pseudo-TLD is One of the motivations for the creation of the .alt pseudo-TLD is
that unmanaged labels in the managed root name space are subject to that unmanaged labels in the managed root name space are subject to
unexpected takeover. This could occur if the manager of the root unexpected takeover. This could occur if the manager of the root
name space decides to delegate the unmanaged label. name space decides to delegate the unmanaged label.
The unmanaged and "registration not required" nature of labels The unmanaged and "registration not required" nature of labels
beneath .alt provides the opportunity for an attacker to re-use the beneath .alt provides the opportunity for an attacker to re-use the
skipping to change at page 7, line 43 skipping to change at page 7, line 43
[RFC1034] Mockapetris, P., "Domain names - concepts and facilities", [RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987, STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987,
<https://www.rfc-editor.org/info/rfc1034>. <https://www.rfc-editor.org/info/rfc1034>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC6303] Andrews, M., "Locally Served DNS Zones", BCP 163,
RFC 6303, DOI 10.17487/RFC6303, July 2011,
<https://www.rfc-editor.org/info/rfc6303>.
[RFC6761] Cheshire, S. and M. Krochmal, "Special-Use Domain Names", [RFC6761] Cheshire, S. and M. Krochmal, "Special-Use Domain Names",
RFC 6761, DOI 10.17487/RFC6761, February 2013, RFC 6761, DOI 10.17487/RFC6761, February 2013,
<https://www.rfc-editor.org/info/rfc6761>. <https://www.rfc-editor.org/info/rfc6761>.
[RFC7686] Appelbaum, J. and A. Muffett, "The ".onion" Special-Use [RFC7686] Appelbaum, J. and A. Muffett, "The ".onion" Special-Use
Domain Name", RFC 7686, DOI 10.17487/RFC7686, October Domain Name", RFC 7686, DOI 10.17487/RFC7686, October
2015, <https://www.rfc-editor.org/info/rfc7686>. 2015, <https://www.rfc-editor.org/info/rfc7686>.
[RFC7719] Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS [RFC7719] Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS
Terminology", RFC 7719, DOI 10.17487/RFC7719, December Terminology", RFC 7719, DOI 10.17487/RFC7719, December
2015, <https://www.rfc-editor.org/info/rfc7719>. 2015, <https://www.rfc-editor.org/info/rfc7719>.
8.2. Informative References 8.2. Informative References
[Dingledine2004] [Dingledine2004]
Dingledine, R., Mathewson, N., and P. Syverson, "Tor: The Dingledine, R., Mathewson, N., and P. Syverson, "Tor: The
Second-Generation Onion Router", , 8 2004, Second-Generation Onion Router", , 8 2004,
<<https://svn.torproject.org/svn/projects/design-paper/ <<https://svn.torproject.org/svn/projects/design-paper/
tor-design.html>>. tor-design.html>>.
[I-D.ietf-dnsop-nsec-aggressiveuse] [RFC8198] Fujiwara, K., Kato, A., and W. Kumari, "Aggressive Use of
Fujiwara, K., Kato, A., and W. Kumari, "Aggressive use of DNSSEC-Validated Cache", RFC 8198, DOI 10.17487/RFC8198,
DNSSEC-validated Cache", draft-ietf-dnsop-nsec- July 2017, <https://www.rfc-editor.org/info/rfc8198>.
aggressiveuse-10 (work in progress), May 2017.
[I-D.ietf-dnsop-sutld-ps] [RFC8244] Lemon, T., Droms, R., and W. Kumari, "Special-Use Domain
Lemon, T., Droms, R., and W. Kumari, "Special-Use Domain Names Problem Statement", RFC 8244, DOI 10.17487/RFC8244,
Names Problem Statement", draft-ietf-dnsop-sutld-ps-08 October 2017, <https://www.rfc-editor.org/info/rfc8244>.
(work in progress), August 2017.
Appendix A. Changes / Author Notes. Appendix A. Changes / Author Notes.
[RFC Editor: Please remove this section before publication ] [RFC Editor: Please remove this section before publication ]
From -08 to -12:
o Just bumping versions to prevent expiration.
o Updated references (aggressive-nsec is now RFC 8198, draft-ietf-
dnsop-sutld-ps is now 8244).
From -07 to -08: From -07 to -08:
o Made it clear that this is only for non-DNS. o Made it clear that this is only for non-DNS.
o As per Interim consensus, removed the "add this to local zones" o As per Interim consensus, removed the "add this to local zones"
text. text.
o Added a Privacy Considerations section o Added a Privacy Considerations section
o Grammar fix -- "alternative" is more correct than "alternate", o Grammar fix -- "alternative" is more correct than "alternate",
 End of changes. 10 change blocks. 
26 lines changed or deleted 26 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/