1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
|
<pre>Internet Engineering Task Force (IETF) P. Pfister
Request for Comments: 8375 Cisco Systems
Updates: <a href="./rfc7788">7788</a> T. Lemon
Category: Standards Track Nibbhaya Consulting
ISSN: 2070-1721 May 2018
<span class="h1">Special-Use Domain 'home.arpa.'</span>
Abstract
This document specifies the behavior that is expected from the Domain
Name System with regard to DNS queries for names ending with
'.home.arpa.' and designates this domain as a special-use domain
name. 'home.arpa.' is designated for non-unique use in residential
home networks. The Home Networking Control Protocol (HNCP) is
updated to use the 'home.arpa.' domain instead of '.home'.
Status of This Memo
This is an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in <a href="./rfc7841#section-2">Section 2 of RFC 7841</a>.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
<a href="https://www.rfc-editor.org/info/rfc8375">https://www.rfc-editor.org/info/rfc8375</a>.
Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to <a href="https://www.rfc-editor.org/bcp/bcp78">BCP 78</a> and the IETF Trust's Legal
Provisions Relating to IETF Documents
(<a href="https://trustee.ietf.org/license-info">https://trustee.ietf.org/license-info</a>) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
<span class="grey">Pfister & Lemon Standards Track [Page 1]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-2" ></span>
<span class="grey"><a href="./rfc8375">RFC 8375</a> home.arpa. May 2018</span>
Table of Contents
<a href="#section-1">1</a>. Introduction . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-3">3</a>
<a href="#section-2">2</a>. Requirements Language . . . . . . . . . . . . . . . . . . . . <a href="#page-4">4</a>
<a href="#section-3">3</a>. General Guidance . . . . . . . . . . . . . . . . . . . . . . <a href="#page-4">4</a>
<a href="#section-4">4</a>. Domain Name Reservation Considerations . . . . . . . . . . . <a href="#page-4">4</a>
<a href="#section-5">5</a>. Updates to Home Networking Control Protocol . . . . . . . . . <a href="#page-7">7</a>
<a href="#section-6">6</a>. Security Considerations . . . . . . . . . . . . . . . . . . . <a href="#page-7">7</a>
<a href="#section-6.1">6.1</a>. Local Significance . . . . . . . . . . . . . . . . . . . <a href="#page-7">7</a>
<a href="#section-6.2">6.2</a>. Insecure Delegation . . . . . . . . . . . . . . . . . . . <a href="#page-8">8</a>
<a href="#section-6.3">6.3</a>. Bypassing Manually Configured Resolvers . . . . . . . . . <a href="#page-9">9</a>
<a href="#section-7">7</a>. Delegation of 'home.arpa.' . . . . . . . . . . . . . . . . . <a href="#page-9">9</a>
<a href="#section-8">8</a>. IANA Considerations . . . . . . . . . . . . . . . . . . . . . <a href="#page-9">9</a>
<a href="#section-9">9</a>. References . . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-10">10</a>
<a href="#section-9.1">9.1</a>. Normative References . . . . . . . . . . . . . . . . . . <a href="#page-10">10</a>
<a href="#section-9.2">9.2</a>. Informative References . . . . . . . . . . . . . . . . . <a href="#page-10">10</a>
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-12">12</a>
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-12">12</a>
<span class="grey">Pfister & Lemon Standards Track [Page 2]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-3" ></span>
<span class="grey"><a href="./rfc8375">RFC 8375</a> home.arpa. May 2018</span>
<span class="h2"><a class="selflink" id="section-1" href="#section-1">1</a>. Introduction</span>
Users and devices within a home network (hereafter referred to as
"homenet") require devices and services to be identified by names
that are unique within the boundaries of the homenet [<a href="./rfc7368" title=""IPv6 Home Networking Architecture Principles"">RFC7368</a>]. The
naming mechanism needs to function without configuration from the
user. While it may be possible for a name to be delegated by an ISP,
homenets must also function in the absence of such a delegation.
This document reserves the name 'home.arpa.' to serve as the default
name for this purpose, with a scope limited to each individual
homenet.
This document corrects an error in [<a href="./rfc7788" title=""Home Networking Control Protocol"">RFC7788</a>] by replacing '.home'
with 'home.arpa.' as the default domain name for homenets. '.home'
was selected as the most user-friendly option; however, there are
existing uses of '.home' that may be in conflict with this use.
Evidence indicates that '.home' queries frequently leak out and reach
the root name servers [<a href="#ref-ICANN1" title=""New gTLD Collision Risk Mitigation"">ICANN1</a>] [<a href="#ref-ICANN2" title=""New gTLD Collision Occurence Management"">ICANN2</a>].
In addition, for compatibility with DNSSEC (see <a href="#section-6">Section 6</a>), it's
necessary that an insecure delegation (see <a href="./rfc4035#section-4.3">Section 4.3 of [RFC4035]</a>)
be present for the name. There is an existing process for allocating
names under '.arpa.' [<a href="./rfc3172" title=""Management Guidelines & Operational Requirements for the Address and Routing Parameter Area Domain ("">RFC3172</a>]. No such process is available for
requesting a similar delegation in the root at the request of the
IETF, which does not administer that zone. As a result, all
unregistered uses of '.home' (that is, all current uses at the time
of this document's publication), particularly as specified in
[<a href="./rfc7788" title=""Home Networking Control Protocol"">RFC7788</a>], are deprecated.
This document registers the domain 'home.arpa.' as a special-use
domain name [<a href="./rfc6761" title=""Special-Use Domain Names"">RFC6761</a>] and specifies the behavior that is expected
from the Domain Name System with regard to DNS queries for names
whose rightmost non-terminal labels are 'home.arpa.'. Queries for
names ending with '.home.arpa.' are of local significance within the
scope of a homenet, meaning that identical queries will result in
different results from one homenet to another. In other words, a
name ending in '.home.arpa.' is not globally unique.
Although this document makes specific reference to [<a href="./rfc7788" title=""Home Networking Control Protocol"">RFC7788</a>], it is
not intended that the use of 'home.arpa.' be restricted solely to
networks where HNCP is deployed. Rather, 'home.arpa.' is intended to
be the correct domain for uses like the one described for '.home' in
[<a href="./rfc7788" title=""Home Networking Control Protocol"">RFC7788</a>]: local name service in residential homenets.
<span class="grey">Pfister & Lemon Standards Track [Page 3]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-4" ></span>
<span class="grey"><a href="./rfc8375">RFC 8375</a> home.arpa. May 2018</span>
<span class="h2"><a class="selflink" id="section-2" href="#section-2">2</a>. Requirements Language</span>
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
<a href="https://www.rfc-editor.org/bcp/bcp14">BCP 14</a> [<a href="./rfc2119" title=""Key words for use in RFCs to Indicate Requirement Levels"">RFC2119</a>] [<a href="./rfc8174" title=""Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words"">RFC8174</a>] when, and only when, they appear in all
capitals, as shown here.
<span class="h2"><a class="selflink" id="section-3" href="#section-3">3</a>. General Guidance</span>
The domain name 'home.arpa.' is to be used for naming within
residential homenets. Names ending with '.home.arpa.' reference a
zone that is served locally, the contents of which are unique only to
a particular homenet and are not globally unique. Such names refer
to nodes and/or services that are located within a homenet (e.g., a
printer or a toaster).
DNS queries for names ending with '.home.arpa.' are resolved using
local resolvers on the homenet. Such queries MUST NOT be recursively
forwarded to servers outside the logical boundaries of the homenet.
Some service discovery user interfaces that are expected to be used
on homenets conceal information such as domain names from end users.
However, in some cases, it is still expected that users will need to
see, remember, and even type names ending with '.home.arpa.'. The
Homenet Working Group hopes that this name will in some way indicate
to as many readers as possible that such domain names are referring
to devices in the home, but we recognize that it is an imperfect
solution.
<span class="h2"><a class="selflink" id="section-4" href="#section-4">4</a>. Domain Name Reservation Considerations</span>
This section specifies considerations for systems involved in domain
name resolution when resolving queries for names ending with
'.home.arpa.'. Each item in this section addresses some aspect of
the DNS or the process of resolving domain names that would be
affected by this special-use allocation. Detailed explanations of
these items can be found in <a href="./rfc6761#section-5">Section 5 of [RFC6761]</a>. Although the
term 'homenet' in [<a href="./rfc7788" title=""Home Networking Control Protocol"">RFC7788</a>] refers to home networks that implement a
particular set of features, in this document the term is used to mean
any home network, regardless of the set of features it implements.
1. Users can use names ending with '.home.arpa.' just as they would
use any other domain name. The 'home.arpa.' name is chosen to be
readily recognized by users as signifying that the name is
addressing a service on the homenet to which the user's device is
connected.
<span class="grey">Pfister & Lemon Standards Track [Page 4]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-5" ></span>
<span class="grey"><a href="./rfc8375">RFC 8375</a> home.arpa. May 2018</span>
2. Application software SHOULD NOT treat names ending in
'.home.arpa.' differently than other names. In particular, there
is no basis for trusting names that are subdomains of
'home.arpa.' (see <a href="#section-6">Section 6</a>).
3. Name resolution APIs and libraries MUST NOT recognize names that
end in '.home.arpa.' as special and MUST NOT treat them as having
special significance, except that it may be necessary that such
APIs not bypass the locally configured recursive resolvers.
One or more IP addresses for recursive DNS servers will usually
be supplied to the client through router advertisements or DHCP.
For an administrative domain that uses subdomains of
'home.arpa.', such as a homenet, the recursive resolvers provided
by that domain will be able to answer queries for subdomains of
'home.arpa.'; other resolvers will not, or they will provide
answers that are not correct within that administrative domain.
A host that is configured to use a resolver other than one that
has been provided by the local network may be unable to resolve,
or may receive incorrect results for, subdomains of 'home.arpa.'.
In order to avoid this, it is permissible that hosts use the
resolvers that are locally provided for resolving 'home.arpa.',
even when they are configured to use other resolvers.
4. There are three considerations for recursive resolvers that
follow this specification:
A. Recursive resolvers at sites using 'home.arpa.' MUST
transparently support DNSSEC queries: queries for DNSSEC
records and queries with the DNSSEC OK (DO) bit set (see
<a href="./rfc4035#section-3.2.1">Section 3.2.1 of [RFC4035]</a>). While validation is not
required, it is strongly encouraged: a caching recursive
resolver that does not validate answers that can be validated
may cache invalid data. This, in turn, will prevent
validating stub resolvers from successfully validating
answers.
B. Unless configured otherwise, recursive resolvers and DNS
proxies MUST behave as described in <a href="#section-3">Section 3</a> of the Locally
Served Zones document [<a href="./rfc6303" title=""Locally Served DNS Zones"">RFC6303</a>]. That is, queries for
'home.arpa.' and subdomains of 'home.arpa.' MUST NOT be
forwarded, with one important exception: a query for a DS
record with the DO bit set MUST return the correct answer for
that question, including correct information in the authority
section that proves that the record is nonexistent.
<span class="grey">Pfister & Lemon Standards Track [Page 5]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-6" ></span>
<span class="grey"><a href="./rfc8375">RFC 8375</a> home.arpa. May 2018</span>
So, for example, a query for the NS record for 'home.arpa.'
MUST NOT result in that query being forwarded to an upstream
cache nor to the authoritative DNS server for '.arpa.'.
However, as necessary to provide accurate authority
information, a query for the DS record MUST result in
forwarding whatever queries are necessary; typically, this
will just be a query for the DS record, since the necessary
authority information will be included in the authority
section of the response if the DO bit is set.
C. In addition to the behavior specified above, recursive
resolvers that can be used in a homenet MUST be configurable
to forward queries for 'home.arpa.' and subdomains of
'home.arpa.' to an authoritative server for 'home.arpa.'.
This server will provide authoritative data for 'home.arpa.'
within a particular homenet. The special handling for DS
records for the 'home.arpa.' delegation is still required.
It is permissible to combine the recursive resolver function
for general DNS lookups with an authoritative resolver for
'home.arpa.'; in this case, rather than forwarding queries
for subdomains of 'home.arpa.' to an authoritative server,
the resolver answers them authoritatively. The behavior with
respect to forwarding queries specifically for 'home.arpa.'
remains the same.
5. No special processing of 'home.arpa.' is required for
authoritative DNS server implementations. It is possible that an
authoritative DNS server might attempt to check the authoritative
servers for 'home.arpa.' for a delegation beneath that name
before answering authoritatively for such a delegated name. In
such a case, because the name always has only local significance,
there will be no such delegation in the 'home.arpa.' zone, and so
the server would refuse to answer authoritatively for such a
zone. A server that implements this sort of check MUST be
configurable so that either it does not do this check for the
'home.arpa.' domain or it ignores the results of the check.
6. DNS server operators MAY configure an authoritative server for
'home.arpa.' for use in homenets and other home networks. The
operator for the DNS servers authoritative for 'home.arpa.' in
the global DNS will configure any such servers as described in
<a href="#section-7">Section 7</a>.
7. 'home.arpa.' is a subdomain of the 'arpa' top-level domain, which
is operated by IANA under the authority of the Internet
Architecture Board according to the rules established in
[<a href="./rfc3172" title=""Management Guidelines & Operational Requirements for the Address and Routing Parameter Area Domain ("">RFC3172</a>]. There are no other registrars for '.arpa'.
<span class="grey">Pfister & Lemon Standards Track [Page 6]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-7" ></span>
<span class="grey"><a href="./rfc8375">RFC 8375</a> home.arpa. May 2018</span>
<span class="h2"><a class="selflink" id="section-5" href="#section-5">5</a>. Updates to Home Networking Control Protocol</span>
The final paragraph in <a href="./rfc7788#section-8">Section 8 of [RFC7788]</a>, the Home Networking
Control Protocol, is updated as follows:
OLD:
Names and unqualified zones are used in an HNCP network to provide
naming and service discovery with local significance. A network-
wide zone is appended to all single labels or unqualified zones in
order to qualify them. ".home" is the default; however, an
administrator MAY configure the announcement of a Domain-Name TLV
(<a href="#section-10.6">Section 10.6</a>) for the network to use a different one. In case
multiple are announced, the domain of the node with the greatest
node identifier takes precedence.
NEW:
Names and unqualified zones are used in an HNCP network to provide
naming and service discovery with local significance. A network-
wide zone is appended to all single labels or unqualified zones in
order to qualify them. 'home.arpa.' is the default; however, an
administrator MAY configure the announcement of a Domain-Name TLV
(<a href="#section-10.6">Section 10.6</a>) for the network to use a different one. In case
multiple TLVs are announced, the domain of the node with the
greatest node identifier takes precedence.
The 'home.arpa.' special-use name does not require a special
resolution protocol. Names for which the rightmost two labels are
'home.arpa.' are resolved using the DNS protocol [<a href="./rfc1035" title=""Domain names - implementation and specification"">RFC1035</a>].
<span class="h2"><a class="selflink" id="section-6" href="#section-6">6</a>. Security Considerations</span>
<span class="h3"><a class="selflink" id="section-6.1" href="#section-6.1">6.1</a>. Local Significance</span>
A DNS record that is returned as a response to a query for a Fully
Qualified Domain Name (FQDN) that is a subdomain of 'home.arpa.' is
expected to have local significance. It is expected to be returned
by a server involved in name resolution for the homenet the device is
connected in. However, such a response MUST NOT be considered more
trustworthy than a similar response for any other DNS query.
Because 'home.arpa.' is not globally scoped and cannot be secured
using DNSSEC based on the root domain's trust anchor, there is no way
to tell, using a standard DNS query, in which homenet scope an answer
belongs. Consequently, users may experience surprising results with
such names when roaming to different homenets.
<span class="grey">Pfister & Lemon Standards Track [Page 7]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-8" ></span>
<span class="grey"><a href="./rfc8375">RFC 8375</a> home.arpa. May 2018</span>
To prevent this from happening, it could be useful for the resolver
on the host to securely differentiate between different homenets and
between identical names on different homenets. However, a mechanism
for doing this has not yet been standardized and doing so is out of
scope for this document. It is expected that this will be explored
in future work.
The advice in <a href="./rfc6303#section-7">[RFC6303], Section 7</a>, to install local trust anchors
for locally served zones can only work if there is some way of
configuring the trust anchor in the host. Homenet currently
specifies no mechanism for configuring such trust anchors. As a
result, while this advice sounds good, it is not practicable.
Also, although it might be useful to install a trust anchor for a
particular instance of 'home.arpa.', it's reasonable to expect that a
host with such a trust anchor might, from time to time, connect to
more than one network with its own instance of 'home.arpa.'. Such a
host would be unable to access services on any instance of
'home.arpa.' other than the one for which a trust anchor was
configured.
It is, in principle, possible to attach an identifier to an instance
of 'home.arpa.' that could be used to identify which trust anchor to
rely on for validating names in that particular instance. However,
the security implications of this are complicated, and such a
mechanism, as well as a discussion of those implications, is out of
scope for this document.
<span class="h3"><a class="selflink" id="section-6.2" href="#section-6.2">6.2</a>. Insecure Delegation</span>
It is not possible to install a trust anchor (a DS RR) for this zone
in the '.arpa' zone. The reason for this is that in order to do so,
it would be necessary to have the key-signing key for the zone (see
<a href="./rfc4034#section-5">Section 5 of [RFC4034]</a>). Since the zone is not globally unique, no
one key would work.
An alternative would be to provide an authenticated denial of
existence (see <a href="./rfc4033#section-3.2">Section 3.2 of [RFC4033]</a>). This would be done simply
by not having a delegation from the 'arpa.' zone. However, this
requires the validating resolver to treat 'home.arpa.' specially. If
a validating resolver that doesn't treat 'home.arpa.' specially
attempts to validate a name in 'home.arpa.', an authenticated denial
of existence of 'home' as a subdomain of 'arpa.' would cause the
validation to fail. Therefore, the only delegation that will allow
names under 'home.arpa.' to be resolved by all validating resolvers
is an insecure delegation, as in <a href="./rfc6303#section-7">Section 7 of [RFC6303]</a>.
<span class="grey">Pfister & Lemon Standards Track [Page 8]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-9" ></span>
<span class="grey"><a href="./rfc8375">RFC 8375</a> home.arpa. May 2018</span>
Consequently, unless a trust anchor for the particular instance of
the 'home.arpa.' zone being validated is manually configured on the
validating resolver, DNSSEC signing and validation of names within
the 'home.arpa.' zone is not possible.
<span class="h3"><a class="selflink" id="section-6.3" href="#section-6.3">6.3</a>. Bypassing Manually Configured Resolvers</span>
In item 3 of <a href="#section-4">Section 4</a>, an exception is made to the behavior of stub
resolvers that allows them to query local resolvers for subdomains of
'home.arpa.' even when they have been manually configured to use
other resolvers. This behavior obviously has security and privacy
implications and may not be desirable depending on the context. It
may be better to simply ignore this exception and, when one or more
recursive resolvers are configured manually, simply fail to provide
correct answers for subdomains of 'home.arpa.'. At this time, we do
not have operational experience that would guide us in making this
decision; implementors are encouraged to consider the context in
which their software will be deployed when deciding how to resolve
this question.
<span class="h2"><a class="selflink" id="section-7" href="#section-7">7</a>. Delegation of 'home.arpa.'</span>
In order to be fully functional, there must be a delegation of
'home.arpa.' in the '.arpa.' zone [<a href="./rfc3172" title=""Management Guidelines & Operational Requirements for the Address and Routing Parameter Area Domain ("">RFC3172</a>]. This delegation MUST
NOT include a DS record and MUST point to one or more black hole
servers, for example, 'blackhole-1.iana.org.' and 'blackhole-
2.iana.org.'. The reason that this delegation must not be signed is
that not signing the delegation breaks the DNSSEC chain of trust,
which prevents a validating stub resolver from rejecting names
published under 'home.arpa.' on a homenet name server.
<span class="h2"><a class="selflink" id="section-8" href="#section-8">8</a>. IANA Considerations</span>
IANA has recorded the domain name 'home.arpa.' in the "Special-Use
Domain Names" registry [<a href="#ref-SUDN" title=""Special-Use Domain Names"">SUDN</a>]. IANA, with the approval of the IAB,
has implemented the delegation requested in <a href="#section-7">Section 7</a>.
IANA has created a new subregistry within the "Locally-Served DNS
Zones" registry [<a href="#ref-LSDZ" title=""Locally-Served DNS Zones"">LSDZ</a>], titled "Transport-Independent Locally-Served
DNS Zone Registry", with the same format as the other subregistries.
IANA has added an entry in this new registry for 'home.arpa.' with
the description "Homenet Special-Use Domain", listing this document
as the reference. The registration procedure for this subregistry
should be the same as for the others, currently "IETF Review" (see
<a href="./rfc8126#section-4.8">Section 4.8 of [RFC8126]</a>).
<span class="grey">Pfister & Lemon Standards Track [Page 9]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-10" ></span>
<span class="grey"><a href="./rfc8375">RFC 8375</a> home.arpa. May 2018</span>
<span class="h2"><a class="selflink" id="section-9" href="#section-9">9</a>. References</span>
<span class="h3"><a class="selflink" id="section-9.1" href="#section-9.1">9.1</a>. Normative References</span>
[<a id="ref-RFC2119">RFC2119</a>] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", <a href="https://www.rfc-editor.org/bcp/bcp14">BCP 14</a>, <a href="./rfc2119">RFC 2119</a>,
DOI 10.17487/RFC2119, March 1997,
<<a href="https://www.rfc-editor.org/info/rfc2119">https://www.rfc-editor.org/info/rfc2119</a>>.
[<a id="ref-RFC3172">RFC3172</a>] Huston, G., Ed., "Management Guidelines & Operational
Requirements for the Address and Routing Parameter Area
Domain ("arpa")", <a href="https://www.rfc-editor.org/bcp/bcp52">BCP 52</a>, <a href="./rfc3172">RFC 3172</a>, DOI 10.17487/RFC3172,
September 2001, <<a href="https://www.rfc-editor.org/info/rfc3172">https://www.rfc-editor.org/info/rfc3172</a>>.
[<a id="ref-RFC4035">RFC4035</a>] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "Protocol Modifications for the DNS Security
Extensions", <a href="./rfc4035">RFC 4035</a>, DOI 10.17487/RFC4035, March 2005,
<<a href="https://www.rfc-editor.org/info/rfc4035">https://www.rfc-editor.org/info/rfc4035</a>>.
[<a id="ref-RFC6303">RFC6303</a>] Andrews, M., "Locally Served DNS Zones", <a href="https://www.rfc-editor.org/bcp/bcp163">BCP 163</a>,
<a href="./rfc6303">RFC 6303</a>, DOI 10.17487/RFC6303, July 2011,
<<a href="https://www.rfc-editor.org/info/rfc6303">https://www.rfc-editor.org/info/rfc6303</a>>.
[<a id="ref-RFC6761">RFC6761</a>] Cheshire, S. and M. Krochmal, "Special-Use Domain Names",
<a href="./rfc6761">RFC 6761</a>, DOI 10.17487/RFC6761, February 2013,
<<a href="https://www.rfc-editor.org/info/rfc6761">https://www.rfc-editor.org/info/rfc6761</a>>.
[<a id="ref-RFC8174">RFC8174</a>] Leiba, B., "Ambiguity of Uppercase vs Lowercase in <a href="./rfc2119">RFC</a>
<a href="./rfc2119">2119</a> Key Words", <a href="https://www.rfc-editor.org/bcp/bcp14">BCP 14</a>, <a href="./rfc8174">RFC 8174</a>, DOI 10.17487/RFC8174,
May 2017, <<a href="https://www.rfc-editor.org/info/rfc8174">https://www.rfc-editor.org/info/rfc8174</a>>.
<span class="h3"><a class="selflink" id="section-9.2" href="#section-9.2">9.2</a>. Informative References</span>
[<a id="ref-ICANN1">ICANN1</a>] "New gTLD Collision Risk Mitigation", August 2013,
<<a href="https://www.icann.org/en/system/files/files/new-gtld-collision-mitigation-05aug13-en.pdf">https://www.icann.org/en/system/files/files/</a>
<a href="https://www.icann.org/en/system/files/files/new-gtld-collision-mitigation-05aug13-en.pdf">new-gtld-collision-mitigation-05aug13-en.pdf</a>>.
[<a id="ref-ICANN2">ICANN2</a>] "New gTLD Collision Occurence Management", October 2013,
<<a href="https://www.icann.org/en/system/files/files/resolutions-new-gtld-annex-1-07oct13-en.pdf">https://www.icann.org/en/system/files/files/</a>
<a href="https://www.icann.org/en/system/files/files/resolutions-new-gtld-annex-1-07oct13-en.pdf">resolutions-new-gtld-annex-1-07oct13-en.pdf</a>>.
[<a id="ref-LSDZ">LSDZ</a>] "Locally-Served DNS Zones", July 2011,
<<a href="https://www.iana.org/assignments/locally-served-dns-zones/">https://www.iana.org/assignments/</a>
<a href="https://www.iana.org/assignments/locally-served-dns-zones/">locally-served-dns-zones/</a>>.
[<a id="ref-RFC1035">RFC1035</a>] Mockapetris, P., "Domain names - implementation and
specification", STD 13, <a href="./rfc1035">RFC 1035</a>, DOI 10.17487/RFC1035,
November 1987, <<a href="https://www.rfc-editor.org/info/rfc1035">https://www.rfc-editor.org/info/rfc1035</a>>.
<span class="grey">Pfister & Lemon Standards Track [Page 10]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-11" ></span>
<span class="grey"><a href="./rfc8375">RFC 8375</a> home.arpa. May 2018</span>
[<a id="ref-RFC4033">RFC4033</a>] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "DNS Security Introduction and Requirements",
<a href="./rfc4033">RFC 4033</a>, DOI 10.17487/RFC4033, March 2005,
<<a href="https://www.rfc-editor.org/info/rfc4033">https://www.rfc-editor.org/info/rfc4033</a>>.
[<a id="ref-RFC4034">RFC4034</a>] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "Resource Records for the DNS Security Extensions",
<a href="./rfc4034">RFC 4034</a>, DOI 10.17487/RFC4034, March 2005,
<<a href="https://www.rfc-editor.org/info/rfc4034">https://www.rfc-editor.org/info/rfc4034</a>>.
[<a id="ref-RFC7368">RFC7368</a>] Chown, T., Ed., Arkko, J., Brandt, A., Troan, O., and J.
Weil, "IPv6 Home Networking Architecture Principles",
<a href="./rfc7368">RFC 7368</a>, DOI 10.17487/RFC7368, October 2014,
<<a href="https://www.rfc-editor.org/info/rfc7368">https://www.rfc-editor.org/info/rfc7368</a>>.
[<a id="ref-RFC7788">RFC7788</a>] Stenberg, M., Barth, S., and P. Pfister, "Home Networking
Control Protocol", <a href="./rfc7788">RFC 7788</a>, DOI 10.17487/RFC7788, April
2016, <<a href="https://www.rfc-editor.org/info/rfc7788">https://www.rfc-editor.org/info/rfc7788</a>>.
[<a id="ref-RFC8126">RFC8126</a>] Cotton, M., Leiba, B., and T. Narten, "Guidelines for
Writing an IANA Considerations Section in RFCs", <a href="https://www.rfc-editor.org/bcp/bcp26">BCP 26</a>,
<a href="./rfc8126">RFC 8126</a>, DOI 10.17487/RFC8126, June 2017,
<<a href="https://www.rfc-editor.org/info/rfc8126">https://www.rfc-editor.org/info/rfc8126</a>>.
[<a id="ref-SUDN">SUDN</a>] "Special-Use Domain Names", July 2012,
<<a href="https://www.iana.org/assignments/special-use-domain-names/">https://www.iana.org/assignments/</a>
<a href="https://www.iana.org/assignments/special-use-domain-names/">special-use-domain-names/</a>>.
<span class="grey">Pfister & Lemon Standards Track [Page 11]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-12" ></span>
<span class="grey"><a href="./rfc8375">RFC 8375</a> home.arpa. May 2018</span>
Acknowledgments
The authors would like to thank Stuart Cheshire, as well as the
homenet chairs, Mark Townsley and Ray Bellis, for their prior work on
'.home'. We would also like to thank Paul Hoffman for providing
review and comments on the IANA Considerations section, Andrew
Sullivan for his review and proposed text, and Suzanne Woolf and Ray
Bellis for their very detailed review comments and process insights.
Thanks to Mark Andrews for providing an exhaustive reference list on
the topic of insecure delegations. Thanks to Dale Worley for
catching a rather egregious mistake and for the Gen-Art review, and
thanks to Daniel Migault for a thorough SecDir review. Thanks to
Warren Kumari for catching some additional issues and to Adam Roach
for some helpful clarifications.
Authors' Addresses
Pierre Pfister
Cisco Systems
Paris
France
Email: pierre.pfister@darou.fr
Ted Lemon
Nibbhaya Consulting
P.O. Box 958
Brattleboro, Vermont 05301-0958
United States of America
Email: mellon@fugue.com
Pfister & Lemon Standards Track [Page 12]
</pre>
|
