The ".onion" Special-Use Domain Name
draft-ietf-dnsop-onion-tld-01

[Ballot comment]
I would like the document to be approved, and recommend its approval with a Yes. Before that I wanted to have a brief discussion with the IESG if it would be useful to send a message to the community that we believe RFC 6761 needs to be open for review and modification, and that the current rules may be inadequate and unscalable.

The two last references need to be normative ones, I believe. I would like to suggest a note to the IETF list (if not already happened) that this is being changed and then approving the document.

[Ballot comment]
I would like the document to be approved, and recommend its approval with a Yes. Before that I wanted to have a brief discussion with the IESG if it would be useful to send a message to the community that we believe RFC 6761 needs to be open for review and modification, and that the current rules may be inadequate and unscalable.

The two last references need to be normative ones, I believe. I would like to suggest a note to the IETF list (if not already happened) that this is being changed (alongside with any down ref implications) and only then approving the document.

[Ballot discuss]
I would like the document to be approved, and will recommend its approval with a Yes momentarily. Before that I wanted to have a brief discussion with the IESG if it would be useful to send a message to the community that we believe RFC 6761 needs to be open for review and modification, and that the current rules may be inadequate and unscalable.

[Ballot comment]
Quoting Alvara, whose opinion I share: " [Personally, I believe having the IETF assign TLDs is a very slippery slope. Of course, given rfc6761, that boat seems to have already sailed.]

Discussing this matter with Joel, one extra argument (not in the write-up) in favor of allocating .onion is that ICANN set this .onion TLD aside (flagged as problematic). So there is no monetized value for it.

If/Once [tor-rendezvous] is a normative reference, do we consider github as stable enough? What if that link disappears?

Nits/editorials (flagged by Tom Taylor's OPS directorate review)
    Section 2 item 3: s/either either/either/

[Ballot comment]
I'm seeing a lot of discussion (even during IESG Evaluation) that resonates with me, but the people having that discussion are more clued about DNS and the policy thereof, than I am.

I do have one observation that I haven't seen anyone else touch on:

I thought .onion was tied closely to the TOR protocol, so I have no idea why the second sentence in this paragraph is here, or what it means, and neither the string "TOR" nor the string "onion" appear in RFC 7230, so chasing that reference didn't help.

  Like Top-Level Domain Names, .onion addresses can have an arbitrary
  number of subdomain components.  This information is not meaningful
  to the Tor protocol, but can be used in application protocols like
  HTTP [RFC7230].

Am I just being dense the night before a telechat, and everyone else understands what this means and why it needs to be included in this document?

If this isn't clear to other people, could you either say more about what it means, or delete the second sentence?

I'm not confused about the first sentence, only the second ...

[Ballot comment]
The two last references need to be normative ones, I believe. I would like to suggest a note to the IETF list (if not already happened) that this is being changed (alongside with any down ref implications) and only then approving the document.

[Ballot comment]
I believe the IETF shouldn't be involved with registering special-use TLDs for things that were used outside of IETF protocols, and should not be wading into territory that belongs to ICANN.  I know there are a bunch of other such TLDs that people/organizations would have us snag for them, and I very much want to avoid doing a batch of others.

That said, I well understand the deployed code involved and the importance of keeping things working in this case, and I don't want to stand in the way.  So I'm standing aside with an "Abstain" ballot.

[Ballot comment]
This one took some soul searching. But I think the arguments have been made, and that on the whole this registration does more good than harm.

I agree with the several people who have pointed out that [tor-rendezvous] should be a normative reference.

Nit: The abstract could use a bit more meat. For example, that the .onion special-purpose name is for use with Tor.

[Ballot comment]
Registering this name seems warranted in light of the potential security impact. We need to make our processes work for the Internet, not vice versa.

I agree with Alvaro and Stephen's comments. In particular, to my eye [tor-rendezvous] should be a normative reference given item #3 in Section 2. However, it seems more important to publish this document than to re-issue the last call to call out a new downref.

[Ballot comment]
[Personally, I believe having the IETF assign TLDs is a very slippery slope.  Of course, given rfc6761, that boat seems to have already sailed.]

1. I know there’s an update to the Security Considerations in progress..but I would like to point out an additional item:

Section 2 (The ".onion" Special-Use Domain Name) says that "human users are expected to recognize .onion names as having different security properties”.  While Tor users may have no issues with recognizing the .onion names, I don’t think it is sensible to expect that the average Internet user will be able to clearly identify them as special, much less understand their properties.  Also, the Security Considerations section says that “users must take special precautions to ensure that the .onion name they are communicating with is correct”, but none of those precautions are mentioned, nor what “correct” means (specially in light of the fact that part of "a .onion name is not intended to be human-meaningful”).  I would like to see some text in the Security Considerations around the risks that the average user may face if using a .onion addresses (or something that looks like one) through their browser (for example) — I realize that won’t necessarily help the average user (who probably will never know this document even exists), but I think it is important to call out.


2. References.  Given that Section 2 (The ".onion" Special-Use Domain Name) says that "Resolvers MUST…respond to requests…by resolving them according to [tor-rendezvous]…” I think that reference should be normative.  The same for the main Tor reference [Dingledine2004], which builds the base of why these are special names.


3. Nit. Section 2 (The ".onion" Special-Use Domain Name)  s/either either/either

[Ballot comment]
I agree with Stephen's points that the long debate has utility and that there were some proposed text changes that appear to be missing.

[Ballot comment]

(6 pages, so I read it now:-)

We definitely need to approve this. It's been too
long in the process already and that's been our
(the IETF's) fault. (I won't object to us trying to
improve 6761 after we've done this one, so some
of the long debate will have lasting utility.)

I thought I saw some edits from the last call
that were agreed to be applied and that would
improve the document. In particular, one that
was to the effect that .onion names would in
future need to conform to DNS name syntactic
constraints (lengths basically) so that if a
node did send a DNS query containing a .onion
name, that'd be less likely to cause weird
issues.

Section 2 is a little sloppy in how it talks
about ".onion addresses (point 1), ".onion
names" (which is the right term I think) and
"queries for .onion" (I think you mean any
query for any .onion name and not only for
the TLD #4 and #5). A bit more consistency
would be no harm, though it's clear enough as
is.

[Ballot comment]
I believe the IETF shouldn't be involved with registering special-use TLDs for things that have been squatted on, and thus helping to circumvent ICANN's normal process.  I know there are a bunch of other such TLDs that people/organizations would have us snag for them, and I very much want to avoid that nasty iceberg, of which this is the tip.

That said, I well understand the deployed code involved and the importance of keeping things working in this case, and I don't want to stand in the way.  So I'm standing aside with an "Abstain" ballot.

(Via drafts-lastcall@iana.org): IESG/Authors/WG Chairs:

IANA has reviewed draft-ietf-dnsop-onion-tld-00, and its reviewers have the following questions/comments:

IANA understands that, upon approval of this document, there is a single action which IANA must complete.

In the Special-Use Domain Names registry located at:

https://www.iana.org/assignments/special-use-domain-names/

a single, new domain name is to be added to the registry as follows:

Name: onion
Reference: [ RFC-to-be ]

However, one reviewer added the following:

"My comment would be there is nothing in the IANA considerations regarding how IANA manages the root zone, although immediately prior it says:

"'DNS Registries/Registrars: Registrars MUST NOT register .onion names; all such requests MUST be denied.'

"I believe 'register' in this context is not sufficiently clear. Perhaps 'delegate' is intended? For example, normally for a reserved name IANA would keep a record in the root zone database to acknowledge this, but this could appear to prohibit keeping a record for this purpose. Further, my understanding is part of the reason for this whole I-D is to all SSL certificate vendors (which are often DNS registries/registrars) to allow registration of SSL certificates for .onion names. I would say a plain reading of this may prohibit that. I would suggest there be an explicit additional category that makes it clear it expects service providers, such as trust providers, for to support .onion domains in such applications."

The following Last Call announcement was sent out:

From: The IESG
To: IETF-Announce
CC:
Reply-To: ietf@ietf.org
Sender:
Subject: Last Call:  (The .onion Special-Use Domain Name) to Proposed Standard


The IESG has received a request from the Domain Name System Operations WG
(dnsop) to consider the following document:
- 'The .onion Special-Use Domain Name'
  as Proposed Standard

The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action. Please send substantive comments to the
ietf@ietf.org mailing lists by 2015-08-11. Exceptionally, comments may be
sent to iesg@ietf.org instead. In either case, please retain the
beginning of the Subject line to allow automated sorting.

Abstract

This document uses the Special-Use Domain Names registry to register the
'.onion' Top Level Domain (TLD) for the Tor Network. This is deemed necessary 
for hosts on the ToR network to apply for and receive legitimate SSL Certificates.

The file can be obtained via
https://datatracker.ietf.org/doc/draft-ietf-dnsop-onion-tld/

IESG discussion can be tracked via
https://datatracker.ietf.org/doc/draft-ietf-dnsop-onion-tld/ballot/


No IPR declarations have been submitted directly on this I-D.

(1) What type of RFC is being requested (BCP, Proposed Standard,
Internet Standard, Informational, Experimental, or Historic)?  Why
is this the proper type of RFC?  Is this type of RFC indicated in the
title page header?

This draft is being requested for a "Standards Track" RFC. This is proper as it
defines a Domain Name which will added to a specific IANA registry.

(2) The IESG approval announcement includes a Document Announcement
Write-Up. Please provide such a Document Announcement Write-Up. Recent
examples can be found in the "Action" announcements for approved
documents. The approval announcement contains the following sections:

Technical Summary

This document uses the Special-Use Domain Names registry to register the
'.onion' Top Level Domain (TLD) for the Tor Network. This will allow hosts on
the ToR network to apply for and receive legitimate SSL Certificates.

Working Group Summary

During the Working Group process, there was contention from several parties
who were unaware that the charter of DNSOP was updated to reflect issues
surrounding [RFC6761].  Once that was cleared up, there was several
discussions that no addition to the Special-Use Domain Name registry could
happen until an overhaul of [RFC6751] occurred. In the case of this draft,
it was decided to move forward with the current conditions.

Document Quality

The draft is a few pages long, long enough to create a registration template
for '.onion' to be added to the Special-Use Registry. The Document Quality is
quite reasonable.  Several Experts in the area of DNS and Domain Names
reviewed the document and found it suitable to move forward.

Personnel

The Document Shepherd is Tim Wicinski and the Responsible Area Director is Joel
Jaggeli.


(3) Briefly describe the review of this document that was performed by
the Document Shepherd.  If this version of the document is not ready
for publication, please explain why the document is being forwarded to
the IESG.

The Document Shepherd did a detailed review of this document. They also were
involved with many discussions on the mailing list about this topic and this
name directly.  The Shepherd feels this document is ready for publication.

(4) Does the document Shepherd have any concerns about the depth or
breadth of the reviews that have been performed?

The Document Shepherd feels that the Working Group spent an inordinate amount
of time discussing this document and reviewing the contents of this draft.

(5) Do portions of the document need review from a particular or from
broader perspective, e.g., security, operational complexity, AAA, DNS,
DHCP, XML, or internationalization? If so, describe the review that
took place.

This document does not need any further review from a broader perspective.

(6) Describe any specific concerns or issues that the Document Shepherd
has with this document that the Responsible Area Director and/or the
IESG should be aware of? For example, perhaps he or she is uncomfortable
with certain parts of the document, or has concerns whether there really
is a need for it. In any event, if the WG has discussed those issues and
has indicated that it still wishes to advance the document, detail those
concerns here.

The main issue which arose during this draft, and others like it, is that
the world has changed since the creation of [RFC6761].  Adding names to the
Special-Use Domain Names registry is effectively removing it from possible Top
Level Domains(TLDs) that can be used.  Previously, this was less of a concern
as TLDs were few.  With ICANN now monetizing the Root Zone of the Internet,
it can be argued that these names have an intrinsic value.

(7) Has each author confirmed that any and all appropriate IPR
disclosures required for full conformance with the provisions of BCP 78
and BCP 79 have already been filed. If not, explain why.

There are no IPR disclosures for this document.

(8) Has an IPR disclosure been filed that references this document?
If so, summarize any WG discussion and conclusion regarding the IPR
disclosures.

There are no IPR disclosures filed referencing this document.

(9) How solid is the WG consensus behind this document? Does it
represent the strong concurrence of a few individuals, with others
being silent, or does the WG as a whole understand and agree with it? 

There is solid working group consensus behind this document. The Working Group
feels this draft most reflects the intents and purposes of [RFC6761] and the
need to register this name.

(10) Has anyone threatened an appeal or otherwise indicated extreme
discontent? If so, please summarise the areas of conflict in separate
email messages to the Responsible Area Director. (It should be in a
separate email because this questionnaire is publicly available.)

There has been no appeals threatened or indicated with this document.

(11) Identify any ID nits the Document Shepherd has found in this
document. (See http://www.ietf.org/tools/idnits/ and the Internet-Drafts
Checklist). Boilerplate checks are not enough; this check needs to be
thorough.

There are no nits in this document.

(12) Describe how the document meets any required formal review
criteria, such as the MIB Doctor, media type, and URI type reviews.

This document should receive the formal review criteria that is required in
placing a domain name on the Special-Use Domain Names list, as specified in
[RFC6761].

(13) Have all references within this document been identified as
either normative or informative?

All references have been identified as normative or informative.

(14) Are there normative references to documents that are not ready for
advancement or are otherwise in an unclear state? If such normative
references exist, what is the plan for their completion?

All normative references in this document are in a completed state.

(15) Are there downward normative references references (see RFC 3967)?
If so, list these downward references to support the Area Director in
the Last Call procedure.

There are no downward normative references in this document.

(16) Will publication of this document change the status of any
existing RFCs? Are those RFCs listed on the title page header, listed
in the abstract, and discussed in the introduction? If the RFCs are not
listed in the Abstract and Introduction, explain why, and point to the
part of the document where the relationship of this document to the
other RFCs is discussed. If this information is not in the document,
explain why the WG considers it unnecessary.

This document will not change the state of any existing RFCs.

(17) Describe the Document Shepherd's review of the IANA considerations
section, especially with regard to its consistency with the body of the
document. Confirm that all protocol extensions that the document makes
are associated with the appropriate reservations in IANA registries.
Confirm that any referenced IANA registries have been clearly
identified. Confirm that newly created IANA registries include a
detailed specification of the initial contents for the registry, that
allocations procedures for future registrations are defined, and a
reasonable name for the new registry has been suggested (see RFC 5226).

The IANA considerations section describes the "Special-Use Domain Names
Registry", which is what [RFC6761] refers to it as.

The IANA Section of this document
(18) List any new IANA registries that require Expert Review for future
allocations. Provide any public guidance that the IESG would find
useful in selecting the IANA Experts for these new registries.

There are no new IANA registries in this document

(19) Describe reviews and automated checks performed by the Document
Shepherd to validate sections of the document written in a formal
language, such as XML code, BNF rules, MIB definitions, etc.