メモ:RFC 8244はDNSのつらそうな話が書いてあった

これは「Special-Use Domain Names Problem Statement」というタイトルだけど、Special-Use Domain Names(in-addr.arpaとか.localhostとか。RFC 6761参照)の問題を軸にしてDNSのシステムが抱える限界?が垣間見える感じで、DNS素人的には興味深かったです。

RFC 8244 - Special-Use Domain Names Problem Statement

個人的に印象に残ったとこをメモ。

IETFICANNの連携についてのプロセスが定められていないという話。

  1. . Although the IETF and ICANN have a liaison relationship through which special-use allocations can be discussed, there exists no formal process for coordinating these allocations (see Section 4.1.3). The lack of coordination complicates the management of the root of the Domain Namespace and could lead to conflicts in name assignments [SDO-ICANN-SAC090].
    (3. Problems Associated with Special-Use Domain Names)

また、たとえそれがうまくいってもIETFICANNがすべてのゾーンをコントロールできるわけでもない。

The assignment of Internet Names is not under the sole control of any one organization. The IETF has authority in some cases, but only with respect to "technical uses". At present, ICANN is the designated administrator of the root zone; but generally not of zones other than the root zone. Neither of these authorities can, in any practical sense, exclude the practice of ad hoc use of names.
(4. Existing Practice regarding Special-Use Domain Names)

DNSが唯一の名前解決方法ではない。

o The Domain Name System [RFC1035] is not the only protocol that may be used for resolving domain names.
(4.1.1. IAB Technical Comment on the Unique DNS Root)

o A Special-Use Domain Name may be a name that requires special handling in the stub resolver. An example would be a Special-Use Top-Level Domain Name like '.local', which acts as a signal to indicate that the local stub resolver should use a non-DNS protocol for name resolution.
(4.1.2. Special-Use Domain Names)

あと、Torに使われる.onionに証明書を出しちゃった話も興味深かった。

Second, for some time, the CA/Browser Forum [SDO-CABF] had been issuing certificates for what they referred to as "internal names". (中略) Consequently, the CA/Browser Forum decided to phase out the use of such names in certificates [SDO-CABF-INT] and set a deadline after which no new certificates for such names would be issued [SDO-CABF-DEADLINE]. Because the '.onion' domain was allocated unilaterally, this would mean that certificates for subdomains of '.onion' could no longer be issued.
(4.2.2. The '.onion' Special-Use Top-Level Domain Name)