Network Working Group                                         P. Pfister
Internet-Draft                                             Cisco Systems
Updates: RFC7788 (if approved)                                  T. Lemon
Intended status: Standards Track                           Nominum, Inc.
Expires: October 22, December 9, 2017                                 April 20,                                   June 7, 2017

                    Special Use Domain ''


   This document specifies the behavior that is expected from the Domain
   Name System with regard to DNS queries for names ending with
   '', and designates this domain as a special-use domain
   name.  The '' domain replaces '.home' as the default domain
   used by the '' is designated for non-unique use in residential
   home networks.  Home Networking Control Protocol (HNCP). (HNCP) is updated to
   use the '' domain instead of '.home'.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on October 22, December 9, 2017.

Copyright Notice

   Copyright (c) 2017 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   ( in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  General Guidance  . . . . . . . . . . . . . . . . . . . . . .   3
   3.  Domain Name Reservation Considerations  . . . . . . . . . . .   3
   4.  Updates to Home Networking Control Protocol . . . . . . . . .   4
   5.  Security Considerations . . . . . . . . . . . . . . . . . . .   5
   6.  Delegation of '' . . . . . . . . . . . . . . . . . .   5   6
   7.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   6
   8.  Acknowledgments . . . . . . . . . . . . . . . . . . . . . . .   6   7
   9.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   6   7
     9.1.  Normative References  . . . . . . . . . . . . . . . . . .   6   7
     9.2.  Informative References  . . . . . . . . . . . . . . . . .   6   7
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   7   8

1.  Introduction

   Users and devices within a home network require devices and services
   to be identified by names that are unique within the boundaries of
   the home network [RFC7368].  The naming mechanism needs to function
   without configuration from the user.  While it may be possible for a
   name to be delegated by an ISP, home networks must also function in
   the absence of such a delegation.  A default name with a scope
   limited to each individual home network needs to be used.

   The '' domain replaces '.home' which was specified corrects an error in
   [RFC7788] [RFC7788], replacing
   '.home' as the default domain-name for home networks. '.home' had
   been selected as the most user-friendly option.  However, there are
   existing uses of '.home' that may be in conflict with this use:
   evidence indicates that '.home' queries frequently leak out and reach
   the root name servers [ICANN1] [ICANN2].  Also, ICANN has about a
   dozen applicants

   In addition, it's necessary, for compatibility with DNSSEC
   (Section 5), that an unsigned delegation be present for the '.home' top-level domain name, which creates name.
   There is an existing process for allocating names under '.arpa'
   [RFC3172].  No such process is available for requesting a significant risk of litigation if it were claimed by similar
   delegation in the IETF
   outside root at the request of the IETF, which does not
   administer that process. zone.  As a result, the use of '.home' has been
   deprecated; this document updates [RFC7788] to replace '.home' with
   '', while another document, [I-D.ietf-homenet-redact]
   deprecates the use of the '.home' TLD. is deprecated.

   This document registers the domain '' as a special-use
   domain name [RFC6761] and specifies the behavior that is expected
   from the Domain Name System with regard to DNS queries for names
   whose rightmost non-terminal label is 'homenet'. labels are ''.  Queries for
   names ending with '' are of local significance within the
   scope of a home network, meaning that identical queries will result
   in different results from one home network to another.  In other
   words, a name ending in '' is not globally unique.

   Although this document makes specific reference to RFC7788, it is not
   intended that the use of '' be restricted solely to
   networks where HNCP is deployed; it is rather the case that
   '' is the correct domain for uses like the one described
   for '.home' in RFC7788: local name service in residential home

2.  General Guidance

   The domain name '' is to be used for naming within a
   residential home
   network. networks.  Names ending with '' reference
   a locally-served zone, the contents of which are unique only to a
   particular home network, and are not globally unique.  Such names
   refer to nodes and/
   or and/or services that are located within a home network
   (e.g., a printer, or a toaster).

   DNS queries for names ending with '' are resolved using
   local resolvers on the homenet.  Such queries MUST NOT be recursively
   forwarded to servers outside the logical boundaries of the home

   Some service discovery user interfaces that are expected to be used
   on homenets conceal information such as domain names from end users.
   However, it is still expected that in some cases, users will need to
   see, remember, and even type, names ending with ''.  It is
   therefore desirable that users identify the domain and understand
   that using it expresses the intention to connect to a service that is
   specific to the home network to which they are connected.  Enforcing
   the fulfillment of this intention is out of scope for this document.

3.  Domain Name Reservation Considerations

   This section defines the behavior of systems involved in domain name
   resolution when serving resolving queries for names ending with ''
   (as per [RFC6761]).

   1.  Users can use names ending with '' just as they would
       use any other domain name.  The '' name is chosen to be
       readily recognized by users as signifying that the name is
       addressing a service on the homenet to which the user's device is

   2.  Applications  Application software SHOULD treat domain NOT process names ending with ''
       just like any other FQDN, and MUST NOT make any assumption on the in
       '' specially.  In particular, it would not be correct
       to assign a higher level of additional security implied by its presence. trust to such names: although such
       names might refer to resources on the application user's home
       network, there is no basis for validating this assumption at a
       protocol level, and hence such an assumption would create an
       attack surface for devices roaming to other networks.

   3.  Name resolution APIs and libraries MUST NOT recognize names that
       end in '' as special and MUST NOT treat them
       differently.  Name resolution APIs MUST send queries for such
       names to a recursive DNS server that is configured to be
       authoritative for the zone appropriate to the home
       network.  One or more IP addresses for recursive DNS servers will
       usually be supplied to the client through router advertisements
       or DHCP.  If a host is configured to use a resolver other than
       one that is authoritative for the appropriate zone,
       the client may be unable to resolve, or may receive incorrect
       results for, names in sub domains of "".

   4.  Unless configured otherwise, to serve subdomains of '', recursive
       resolvers and DNS proxies MUST behave as described in Locally
       Served Zones ([RFC6303] Section 3).  Recursive resolvers that are
       part of a home network MAY be configured manually or
       automatically (e.g., for auto-
       configuration auto-configuration purposes) to act
       differently, e.g., by querying another name server configured as
       authoritative for part or all of the '' domain, or
       proxying the request through a different mechanism.

   5.  Only a DNS server that is authoritative for the '.arpa' zone or
       is configured to be authoritative for '' or a subdomain
       of '' will ever answer a query about ''  In
       both of these cases, the server should simply answer as
       configured: no special handling is required.  The delegation
       returned by servers authoritative for '.arpa' will not match the
       delegation returned by a local resolver that is actually
       answering for ''

   6.  DNS servers outside a home network should not be configured to be
       authoritative for

   7.  '' is a subdomain of the 'arpa' top-level domain, which
       is entirely operated by IANA under the authority of the Internet
       Architecture Board.  As
       such, Board according to the rules established in
       [RFC3172].  There are no new advice for other registrars is required here. for .arpa.

4.  Updates to Home Networking Control Protocol

   The final paragraph of Homenet Considerations Protocol [RFC7788],
   section 8, is updated as follows:


      Names and unqualified zones are used in an HNCP network to provide
      naming and service discovery with local significance.  A network-
      wide zone is appended to all single labels or unqualified zones in
      order to qualify them. ".home" is the default; however, an
      administrator MAY configure the announcement of a Domain-Name TLV
      (Section 10.6) for the network to use a different one.  In case
      multiple are announced, the domain of the node with the greatest
      node identifier takes precedence.


      Names and unqualified zones are used in an HNCP network to provide
      naming and service discovery with local significance.  A network-
      wide zone is appended to all single labels or unqualified zones in
      order to qualify them. "" is the default; however, an
      administrator MAY configure the announcement of a Domain-Name TLV
      (Section 10.6) for the network to use a different one.  In case
      multiple are announced, the domain of the node with the greatest
      node identifier takes precedence.

      The '' special-use name does not require a special
      resolution protocol.  Names for which the rightmost non-terminal
      label is 'homenet' two labels are
      '' are resolved using the DNS protocol [RFC1035].

5.  Security Considerations

   A DNS record that is returned as a response to a query ending with for an FQDN in
   the domain '' is expected to have local significance.  It
   is expected to be returned by a server involved in name resolution
   for the home network the device is connected in.  However, such
   response MUST NOT be considered more trustworthy than would be a
   similar response for any other DNS query.

   Because '' is not globally scoped and cannot be secured
   using DNSSEC based on the root domain's trust anchor, there is no way
   to tell, using a standard DNS query, in which home network scope an
   answer belongs.  Consequently, users may experience surprising
   results with such names when roaming to different home networks.  To
   prevent this from happening, it may be useful for the resolver to
   identify different home networks on which it has resolved names, but
   this is out of scope for this document.


   It is not possible to install a trust anchor for this zone in the
   '.arpa' zone.  The reason for this is that in order to enable DNSSEC do so, it
   would be necessary to have the key-signing key for the zone
   ([RFC4034] Section 5).  Since the zone is not globally unique, no one
   key would work.

   An alternative would be to install a authenticated denial of
   existence ([RFC4033] Section 3.2).  However, this assumes that
   validation is being done on a caching resolver that is aware of the
   special local meaning of ''.  If a host stub resolver
   attempts to validate a name in, an authenticated denial
   of existence of 'home' as a subdomain of 'arpa.' would cause the
   validation to fail.  Therefore, the only delegation that will allow
   names under '' to be resolved is an unsigned delegation.

   Consequently, unless a trust anchor for the particular '', instance of
   the '' zone being validated is manually configured on the
   validating resolver, DNSSEC signing of names within the ''
   zone is not possible.

   Although in principle it might make sense be useful to configure install a trust anchor
   for a particular instance of '', it's reasonable to expect
   that homenet.  How
   this a host with such a trust anchor might from time to time connect
   to more than one network with its own instance of ''.  Such
   a host would be done unable to access services on any instance of
   '' other than the one for which a trust anchor was

   It is in principle possible to attach an identifier to an instance of
   '' that could be used to identify which trust anchor to
   rely on for validating names in that particular instance.  However,
   the security implications of this are complicated, and such a
   mechanism, as well as a discussion of those implications, is out of
   scope for this document.

6.  Delegation of ''

   In order to be fully functional, there must be a delegation of
   '' in the '.arpa' zone. zone [RFC3172].  This delegation MUST NOT
   be signed, MUST NOT include a DS record, and MUST point to one or
   more black hole servers, for example BLACKHOLE-1.IANA.ORG and BLACKHOLE-
   BLACKHOLE-2.IANA.ORG.  The reason that this delegation must not be
   signed is that not signing the delegation breaks the DNSSEC chain of
   trust, which prevents a validating stub resolver from rejecting names
   published under '' on a homenet name server.

7.  IANA Considerations

   IANA is requested to record the domain name "" in the
   Special-Use Domain Names registry [SUDN].

8.  Acknowledgments

   The authors would like to thank Stuart Cheshire for his prior work on
   '.home', as well as the homenet chairs: Mark Townsley and Ray Bellis.
   We would also like to thank Paul Hoffman for providing review and
   comments on the IANA considerations section.

9.  References

9.1.  Normative References

   [RFC3172]  Huston, G., Ed., "Management Guidelines & Operational
              Requirements for the Address and Routing Parameter Area
              Domain ("arpa")", BCP 52, RFC 3172, DOI 10.17487/RFC3172,
              September 2001, <>.

   [RFC6303]  Andrews, M., "Locally Served DNS Zones", BCP 163,
              RFC 6303, DOI 10.17487/RFC6303, July 2011,

   [RFC6761]  Cheshire, S. and M. Krochmal, "Special-Use Domain Names",
              RFC 6761, DOI 10.17487/RFC6761, February 2013,

              Lemon, T., "Redacting .home from HNCP", draft-ietf-
              homenet-redact-03 (work in progress), March 2017.

9.2.  Informative References

   [RFC1035]  Mockapetris, P., "Domain names - implementation and
              specification", STD 13, RFC 1035, DOI 10.17487/RFC1035,
              November 1987, <>.

   [RFC4033]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
              Rose, "DNS Security Introduction and Requirements",
              RFC 4033, DOI 10.17487/RFC4033, March 2005,

   [RFC4034]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
              Rose, "Resource Records for the DNS Security Extensions",
              RFC 4034, DOI 10.17487/RFC4034, March 2005,

   [RFC7368]  Chown, T., Ed., Arkko, J., Brandt, A., Troan, O., and J.
              Weil, "IPv6 Home Networking Architecture Principles",
              RFC 7368, DOI 10.17487/RFC7368, October 2014,

   [RFC7788]  Stenberg, M., Barth, S., and P. Pfister, "Home Networking
              Control Protocol", RFC 7788, DOI 10.17487/RFC7788, April
              2016, <>.

   [ICANN1]   "New gTLD Collision Risk Mitigation", October 2013,

   [ICANN2]   "New gTLD Collision Occurence Management", October 2013,

   [SUDN]     "Special-Use Domain Names Registry", July 2012,

Authors' Addresses

   Pierre Pfister
   Cisco Systems


   Ted Lemon
   Nominum, Inc.
   800 Bridge Parkway
   Redwood City, California  94065
   United States of America

   Phone: +1 650 381 6000