Using DNAME in the DNS root zone for sinking of special-use TLDs

The DNS root nameservers receive a lot of requests for TLDs which do not exist. See for instance or or . In the spirit of , it would be good if they could be redirected to a sink such as AS112, to save root nameservers's resources. Some of these names, and specially one of the biggest offenders, .local (), are registered in the Special-Use Domain Names registry of . They are obvious candidates for a "delegation" to the sink. It is proposed to use the new AS112, the one described by to implement this sink.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in .

Every TLD (, section 2) which is in the Special-Use Domain Names registry () SHOULD be "delegated" by IANA through a DNAME to empty.as112.arpa as described in if and only if the registration of this TLD say that resolvers SHOULD NOT or MUST NOT look them up in the DNS. It is important to notice that this document does not define a policy to decide if a TLD should be "delegated" or not. Instead, it relies on the existing Special-Use Domain Names registry and its rules. RFC-EDITOR: remove before publication. As of today, with these rules, .local () or .onion () would be "delegated" but not .example (its registration in does not define special handling for resolvers) or .home () or .belkin (this last one generates a huge traffic at the root nameservers but is not in the Special-Use Domain Names registry).

The main benefit is less load on the root nameservers and a better efficiency of the caches, therefore helping the entire DNS ecosystem.

Of course, the solution described in this document requires a good support of DNAME by the resolvers. Appendix A of describes an experiment which was run in 2013 and which shows that, indeed, we can rely on DNAME (quoting the authors: "We conclude that there is no evidence of a consistent failure on the part of deployed DNS resolvers to correctly resolve a DNAME construct."). The technical tests documented in have the same conclusion: DNAMEs work fine. What could be the expected "saving" of resources by this "delegation"? Well-behaved resolvers should cache the NXDOMAIN (negative caching duration in the root zone is currently one day) but this covers only the requested name, not the whole TLD (until is widely deployed and it would only partially solved the issue). There is also a concern that the requests for these non-existing TLDs are not issued by "proper" systems (because they are supposed to never leave the local network). If these requests are sent by badly programmed or badly configured systems, can we be sure they will honor the "delegation" and the caching? To summarise, it would be interesting to design and conduct an experiment to measure the expected effect. Ideas are welcome (the most obvious one, running a "delegation" during a moment then deleting it and comparing the results, is difficult to foresee, for political reasons). To be sure AS112 could handle the load, AS 112 operators were consulted and expressed no objection. Regarding DNSSEC, do note the future DNAMEs in the root zone will be signed, but the target, empty.as112.arpa, is not. See George Michaelson's message. So, it will not be possible to validate the answers. Not a problem since these requests should never have been sent to the root nameservers, anyway. RFC-EDITOR: remove before publication. As of today, it exists apparently five nodes in the new AS112. There is no "official" "delegation" to it. Do note that, as a consequence of the new AS122 structure, it is not possible to see how many unofficial "delegations" exist (to see an example, see junk.bortzmeyer.fr).

IANA is directed to add a DNAME in the root zone for every TLD which fits the rules of . RFC-EDITOR: remove before publication. There is currently no DNAME in the root zone. It is expected that the creation of the first one will require a top-down, multi-stakeholder, long and complicated process with a lot of meetings, reports by consultants and design teams. We already have one short mention of this possibility in , then one decision by ICANN to study the matter and one technical report made after that decision ("This report found no failure in resolution nor in the ability to perform DNSSEC validation when DNAME was used in the root zone.") TODO: if DNAMEs in the "real" root zone are delayed, is it possible/realistic for IANA to create an experimental root zone containing the new AS112 "delegations", so that roots like Yeti could publish it and test it? REMOVE BEFORE PUBLICATION: there are today TLDs with a DNAME at their apex (not the same thing): xn--kprw13d and xn--mgba3a4f16a.

The requests for the TLD in the Special-Use Domain Names registry are typically NOT supposed to leak to the authoritative public name servers such as the ones of the root zone. If they do, it means a misconfiguration somewhere. The leak is independant on whether the name is "delegated" to AS112 or not. See section 8 of for an analysis. Nevertheless, privacy considerations have to be taken into account. Some people believe there are added risks, because the queries will be seen by AS112 servers which, unlike the root nameservers, are managed by many "random people". This means that population of people who can see the query streams is increased from the set of root nameserver operators and people that they share data with, to potentially anybody. There's no defence against a malefactor hijacking AS112 traffic, because in a real sense that traffic is intended to be hijacked.

Thanks to Paul Hoffman to say that it may be a good idea, for Patrik Faltstrom for documentation and research, for Joe Abley for tough proofreading and many suggestions, and for Ted Lemon to give the final impulse, with his .