The .alt Special-Use Top-Level Domain
draft-ietf-dnsop-alt-tld-25

Yes

Erik Kline
Paul Wouters
Robert Wilton
Éric Vyncke

No Objection

Andrew Alston
Jim Guichard
John Scudder
Lars Eggert
Roman Danyliw
Zaheduzzaman Sarker

Recuse

Warren Kumari

Note: This ballot was opened for revision 23 and is now closed.

Erik Kline
Yes
Paul Wouters
Yes
Comment (2023-04-23 for -23) Sent 
Some of my comments might be DISCUSS-worthy (my apologies), but I really don't want to block this document for any further time. But please do take my comments into considerations if you can do a quick ref update.

The term pseudo-TLD as defined here is not how I've seen the term
used. A pseudo TLD as I've seen it used is a TLD that's one step
below a real TLD and runs as a general GTLD (open registration),
eg "uk.com". I guess I would qualify the use in this document
more as "fake TLD", but I can see how that might come over as
even more perogative. So I am fine with the current definition
and use case. Perhaps a "to be confused with" note could
be added, but is not strictly required.


        4. Caching DNS servers SHOULD NOT recognize names in the .alt
        pseudo-TLD as special and SHOULD NOT perform any special handling
        with them.

There is value for a recursor to "pre-load" the proof of non-existence
of ".alt" (the entire branch in the hierarchy) to avoid any potential
leakage of subdomains within alt. It could potentially also reduce error
message logs if someone starts using .alt not as a real hierarchy or using
non-DNS valid characters in their name, eg Ulabel stuff or even binary stuff
like 0x00010001000000003616c7400. They could also just return NXDOMAIN instead
of forwarding the query to the root servers to avoid a privacy leak. Or it
could modify the question foo "foo.alt" and only send "alt" to the root. I
see no reason such additional protection mechanisms need to violate this
"SHOULD NOT" clause. Why not flip the statement around?

        4. Caching DNS servers MAY recognize names in the .alt pseudo-TLD
        as special and MAY perform special privacy preserving methods to
        return (DNSSEC signed) NXDOMAIN answers to prevent leaking entries
        under the .alt pseudo-TLD into the global DNS.

        5. Authoritative DNS servers SHOULD NOT recognize names in the
        .alt pseudo-TLD as special and should not perform any special
        handling with them.

Any reason the second "should not" is lowercase ?
Note that I do agree here, and would even say MUST NOT so that people
can use DNS technology even if not rooted in the global DNS for their
.alt names without having to modify existing DNS software (eg run a
shadow .alt using DNS on port 666 or something)

        6. DNS server operators will treat names in ...

I find the use of "will" here a little odd. Perhaps:

        6. DNS servers and operators, which whave no special handling
           for the .alt pseudo-TLD will end up treating names in ...



        7. DNS registries/registrars for the global DNS will never
        register names in the .alt pseudo-TLD because .alt will not
        exist in the global DNS root

"will never" seems wishful thinking. I've seen some very fraudulent stuff
happen with DNS registries/registrars. eg what if one of them will support
pseudo-TLDs along with real DNS domains, and includes bogus .alt registrations?
Perhaps:

        7. DNS registries/registrars for the global DNS can never legitimately
        register names in the .alt pseudo-TLD because .alt will never exist in
        the global DNS root

Again, my apologies to Warren for not balloting a blanc YES :)
Robert Wilton
Yes
Éric Vyncke
Yes
Comment (2023-04-24 for -23) Sent 
Thanks to the authors and the DNSOP working group, and of course to Suzanne for a detailed shepherd's write-up.

Important document to bring some clarity for some use cases.

Just two minor comments:

1/ I support Paul Wouters' issue with the name "pseudo-TLD", it is both too late and a bike-shedding exercice... "ghost-TLD" or "filler-TLD" or "dummy-TLD" would have been better

2/ in section 2, s/because .alt, by definition, is not a DNS name./because .alt, by this specification, is not a DNS name./ ?

Regards

-éric
Andrew Alston
No Objection
Jim Guichard
No Objection
John Scudder
No Objection
Comment (2023-04-26 for -23) Sent 
One comment -- Section 3.2 has "DNS server operators MAY be aware that queries for name ending in .alt are not DNS names, and queries for those names were leaked into the DNS context." The RFC 2119 MAY appears misused in this context.

(Also, in that quote, s/queries for name/queries for names/)
Lars Eggert
No Objection
Comment (2023-04-24 for -23) Sent 
# GEN AD review of draft-ietf-dnsop-alt-tld-23

CC @larseggert

Thanks to Behcet Sarikaya for the General Area Review Team (Gen-ART) review
(https://mailarchive.ietf.org/arch/msg/gen-art/1LB6_ujGseyZRWPgTQZrP2pS8zk).

## Comments

### DOWNREFs

DOWNREF `[RFC8244]` from this Proposed Standard to Informational `RFC8244`.
(For IESG discussion. It seems this DOWNREF was not mentioned in the Last Call
and also seems to not appear in the DOWNREF registry.)

I think RFC8244 could be cited informatively?

## Nits

All comments below are about very minor potential issues that you may choose to
address in some way - or ignore - as you see fit. Some were flagged by
automated tools (via https://github.com/larseggert/ietf-reviewtool), so there
will likely be some false positives. There is no need to let me know what you
did with these suggestions.

### Grammar/style

#### Section 2, paragraph 7
```
 performing aggressive use of DNSSEC- validated caches (described in [RFC8198
                              ^^^^^^^^^^^^^^^^^
```
This word seems to be formatted incorrectly. Consider fixing the spacing or
removing the hyphen completely.

#### Section 2, paragraph 8
```
will cover all names under .alt. Currently deployed projects and protocols t
                                 ^^^^^^^^^
```
A comma may be missing after the conjunctive/linking adverb "Currently".

#### Section 7.1, paragraph 2
```
and P. Hoffman, "DNS Query Name Minimisation to Improve Privacy", RFC 9156, 
                                ^^^^^^^^^^^^
```
Do not mix variants of the same word ("minimisation" and "minimization") within
a single text.

## Notes

This review is in the ["IETF Comments" Markdown format][ICMF], You can use the
[`ietf-comments` tool][ICT] to automatically convert this review into
individual GitHub issues. Review generated by the [`ietf-reviewtool`][IRT].

[ICMF]: https://github.com/mnot/ietf-comments/blob/main/format.md
[ICT]: https://github.com/mnot/ietf-comments
[IRT]: https://github.com/larseggert/ietf-reviewtool
Roman Danyliw
No Objection
Comment (2023-04-25 for -23) Sent 
Thank you to Linda Dunbar for the SECDIR review.

** Section 2.
   Currently deployed projects and protocols that are using pseudo-TLDs
   are recommended to move under the .alt pseudo-TLD, but this is not a
   requirement.

I don’t understand the basis of this recommendation.  Projects and protocols using pseudo-TLDs (outside of https://www.iana.org/domains/reserved) are already not following published guidance.  Why is there an expectation that this document can change behavior?

Section 3.2.  Item #3. Editorial.  s/Writers of name resolution APIs/Creators of name resolution APIs/.  Or “developers”, “implementers, or “designers” 

** Section 3.2.  Item #7
   7.  DNS registries/registrars for the global DNS will never register
   names in the .alt pseudo-TLD because .alt will not exist in the
   global DNS root.

Items #4 – 6 on this list use RFC2119 language to make the expected behavior clear.  This text seems to be written in an aspiration form describing what registries/registrars will do, without explicitly prohibiting them with normative language.  Is there a reason for that?
Zaheduzzaman Sarker
No Objection
Comment (2023-04-26 for -23) Not sent 
Thanks for working on this document.
Warren Kumari
Recuse
Comment (2023-04-18 for -23) Not sent 
'm a nauthor...