Home

RFC3467

  1. RFC 3467
Network Working Group                                         J. Klensin
Request for Comments: 3467                                 February 2003
Category: Informational


                  Role of the Domain Name System (DNS)

Status of this Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2003).  All Rights Reserved.

Abstract

   This document reviews the original function and purpose of the domain
   name system (DNS).  It contrasts that history with some of the
   purposes for which the DNS has recently been applied and some of the
   newer demands being placed upon it or suggested for it.  A framework
   for an alternative to placing these additional stresses on the DNS is
   then outlined.  This document and that framework are not a proposed
   solution, only a strong suggestion that the time has come to begin
   thinking more broadly about the problems we are encountering and
   possible approaches to solving them.

Table of Contents

   1.  Introduction and History .....................................  2
      1.1 Context for DNS Development ...............................  3
      1.2 Review of the DNS and Its Role as Designed ................  4
      1.3 The Web and User-visible Domain Names .....................  6
      1.4 Internet Applications Protocols and Their Evolution .......  7
   2.  Signs of DNS Overloading .....................................  8
   3.  Searching, Directories, and the DNS .......................... 12
      3.1 Overview  ................................................. 12
      3.2 Some Details and Comments ................................. 14
   4.  Internationalization ......................................... 15
      4.1 ASCII Isn't Just Because of English ....................... 16
      4.2 The "ASCII Encoding" Approaches ........................... 17
      4.3 "Stringprep" and Its Complexities ......................... 17
      4.4 The Unicode Stability Problem ............................. 19
      4.5 Audiences, End Users, and the User Interface Problem ...... 20
      4.6 Business Cards and Other Natural Uses of Natural Languages. 22
      4.7 ASCII Encodings and the Roman Keyboard Assumption ......... 22



Klensin                      Informational                      [Page 1]
RFC 3467          Role of the Domain Name System (DNS)     February 2003


      4.8 Intra-DNS Approaches for "Multilingual Names" ............. 23
   5.  Search-based Systems: The Key Controversies .................. 23
   6.  Security Considerations ...................................... 24
   7.  References ................................................... 25
      7.1 Normative References ...................................... 25
      7.2 Explanatory and Informative References .................... 25
   8.  Acknowledgements ............................................. 30
   9.  Author's Address ............................................. 30
   10. Full Copyright Statement ..................................... 31

1. Introduction and History

   The DNS was designed as a replacement for the older "host table"
   system.  Both were intended to provide names for network resources at
   a more abstract level than network (IP) addresses (see, e.g.,
   [RFC625], [RFC811], [RFC819], [RFC830], [RFC882]).  In recent years,
   the DNS has become a database of convenience for the Internet, with
   many proposals to add new features.  Only some of these proposals
   have been successful.  Often the main (or only) motivation for using
   the DNS is because it exists and is widely deployed, not because its
   existing structure, facilities, and content are appropriate for the
   particular application of data involved.  This document reviews the
   history of the DNS, including examination of some of those newer
   applications.  It then argues that the overloading process is often
   inappropriate.  Instead, it suggests that the DNS should be
   supplemented by systems better matched to the intended applications
   and outlines a framework and rationale for one such system.

   Several of the comments that follow are somewhat revisionist.  Good
   design and engineering often requires a level of intuition by the
   designers about things that will be necessary in the future; the
   reasons for some of these design decisions are not made explicit at
   the time because no one is able to articulate them.  The discussion
   below reconstructs some of the decisions about the Internet's primary
   namespace (the "Class=IN" DNS) in the light of subsequent development
   and experience.  In addition, the historical reasons for particular
   decisions about the Internet were often severely underdocumented
   contemporaneously and, not surprisingly, different participants have
   different recollections about what happened and what was considered
   important.  Consequently, the quasi-historical story below is just
   one story.  There may be (indeed, almost certainly are) other stories
   about how the DNS evolved to its present state, but those variants do
   not invalidate the inferences and conclusions.

   This document presumes a general understanding of the terminology of
   RFC 1034 [RFC1034] or of any good DNS tutorial (see, e.g., [Albitz]).





Klensin                      Informational                      [Page 2]
RFC 3467          Role of the Domain Name System (DNS)     February 2003


1.1  Context for DNS Development

   During the entire post-startup-period life of the ARPANET and nearly
   the first decade or so of operation of the Internet, the list of host
   names and their mapping to and from addresses was maintained in a
   frequently-updated "host table" [RFC625], [RFC811], [RFC952].  The
   names themselves were restricted to a subset of ASCII [ASCII] chosen
   to avoid ambiguities in printed form, to permit interoperation with
   systems using other character codings (notably EBCDIC), and to avoid
   the "national use" code positions of ISO 646 [IS646].  These
   restrictions later became collectively known as the "LDH" rules for
   "letter-digit-hyphen", the permitted characters.  The table was just
   a list with a common format that was eventually agreed upon; sites
   were expected to frequently obtain copies of, and install, new
   versions.  The host tables themselves were introduced to:

   o  Eliminate the requirement for people to remember host numbers
      (addresses).  Despite apparent experience to the contrary in the
      conventional telephone system, numeric numbering systems,
      including the numeric host number strategy, did not (and do not)
      work well for more than a (large) handful of hosts.

   o  Provide stability when addresses changed.  Since addresses -- to
      some degree in the ARPANET and more importantly in the
      contemporary Internet -- are a function of network topology and
      routing, they often had to be changed when connectivity or
      topology changed.  The names could be kept stable even as
      addresses changed.

   o  Provide the capability to have multiple addresses associated with
      a given host to reflect different types of connectivity and
      topology.  Use of names, rather than explicit addresses, avoided
      the requirement that would otherwise exist for users and other
      hosts to track these multiple host numbers and addresses and the
      topological considerations for selecting one over others.

   After several years of using the host table approach, the community
   concluded that model did not scale adequately and that it would not
   adequately support new service variations.  A number of discussions
   and meetings were held which drew several ideas and incomplete
   proposals together.  The DNS was the result of that effort.  It
   continued to evolve during the design and initial implementation
   period, with a number of documents recording the changes (see
   [RFC819], [RFC830], and [RFC1034]).







Klensin                      Informational                      [Page 3]
RFC 3467          Role of the Domain Name System (DNS)     February 2003


   The goals for the DNS included:

   o  Preservation of the capabilities of the host table arrangements
      (especially unique, unambiguous, host names),

   o  Provision for addition of additional services (e.g., the special
      record types for electronic mail routing which quickly followed
      introduction of the DNS), and

   o  Creation of a robust, hierarchical, distributed, name lookup
      system to accomplish the other goals.

   The DNS design also permitted distribution of name administration,
   rather than requiring that each host be entered into a single,
   central, table by a central administration.

1.2 Review of the DNS and Its Role as Designed

   The DNS was designed to identify network resources.  Although there
   was speculation about including, e.g., personal names and email
   addresses, it was not designed primarily to identify people, brands,
   etc.  At the same time, the system was designed with the flexibility
   to accommodate new data types and structures, both through the
   addition of new record types to the initial "INternet" class, and,
   potentially, through the introduction of new classes.  Since the
   appropriate identifiers and content of those future extensions could
   not be anticipated, the design provided that these fields could
   contain any (binary) information, not just the restricted text forms
   of the host table.

   However, the DNS, as it is actually used, is intimately tied to the
   applications and application protocols that utilize it, often at a
   fairly low level.

   In particular, despite the ability of the protocols and data
   structures themselves to accommodate any binary representation, DNS
   names as used were historically not even unrestricted ASCII, but a
   very restricted subset of it, a subset that derives from the original
   host table naming rules.  Selection of that subset was driven in part
   by human factors considerations, including a desire to eliminate
   possible ambiguities in an international context.  Hence character
   codes that had international variations in interpretation were
   excluded, the underscore character and case distinctions were
   eliminated as being confusing (in the underscore's case, with the
   hyphen character) when written or read by people, and so on.  These
   considerations appear to be very similar to those that resulted in
   similarly restricted character sets being used as protocol elements
   in many ITU and ISO protocols (cf. [X29]).



Klensin                      Informational                      [Page 4]
RFC 3467          Role of the Domain Name System (DNS)     February 2003


   Another assumption was that there would be a high ratio of physical
   hosts to second level domains and, more generally, that the system
   would be deeply hierarchical, with most systems (and names) at the
   third level or below and a very large percentage of the total names
   representing physical hosts.  There are domains that follow this
   model: many university and corporate domains use fairly deep
   hierarchies, as do a few country-oriented top level domains
   ("ccTLDs").  Historically, the "US." domain has been an excellent
   example of the deeply hierarchical approach.  However, by 1998,
   comparison of several efforts to survey the DNS showed a count of SOA
   records that approached (and may have passed) the number of distinct
   hosts.  Looked at differently, we appear to be moving toward a
   situation in which the number of delegated domains on the Internet is
   approaching or exceeding the number of hosts, or at least the number
   of hosts able to provide services to others on the network.  This
   presumably results from synonyms or aliases that map a great many
   names onto a smaller number of hosts.  While experience up to this
   time has shown that the DNS is robust enough -- given contemporary
   machines as servers and current bandwidth norms -- to be able to
   continue to operate reasonably well when those historical assumptions
   are not met (e.g., with a flat, structure under ".COM" containing
   well over ten million delegated subdomains [COMSIZE]), it is still
   useful to remember that the system could have been designed to work
   optimally with a flat structure (and very large zones) rather than a
   deeply hierarchical one, and was not.

   Similarly, despite some early speculation about entering people's
   names and email addresses into the DNS directly (e.g., see
   [RFC1034]), electronic mail addresses in the Internet have preserved
   the original, pre-DNS, "user (or mailbox) at location" conceptual
   format rather than a flatter or strictly dot-separated one.
   Location, in that instance, is a reference to a host. The sole
   exception, at least in the "IN" class, has been one field of the SOA
   record.

   Both the DNS architecture itself and the two-level (host name and
   mailbox name) provisions for email and similar functions (e.g., see
   the finger protocol [FINGER]), also anticipated a relatively high
   ratio of users to actual hosts.  Despite the observation in RFC 1034
   that the DNS was expected to grow to be proportional to the number of
   users (section 2.3), it has never been clear that the DNS was
   seriously designed for, or could, scale to the order of magnitude of
   number of users (or, more recently, products or document objects),
   rather than that of physical hosts.

   Just as was the case for the host table before it, the DNS provided
   critical uniqueness for names, and universal accessibility to them,
   as part of overall "single internet" and "end to end" models (cf.



Klensin                      Informational                      [Page 5]
RFC 3467          Role of the Domain Name System (DNS)     February 2003


   [RFC2826]).  However, there are many signs that, as new uses evolved
   and original assumptions were abused (if not violated outright), the
   system was being stretched to, or beyond, its practical limits.

   The original design effort that led to the DNS included examination
   of the directory technologies available at the time.  The design
   group concluded that the DNS design, with its simplifying assumptions
   and restricted capabilities, would be feasible to deploy and make
   adequately robust, which the more comprehensive directory approaches
   were not.  At the same time, some of the participants feared that the
   limitations might cause future problems; this document essentially
   takes the position that they were probably correct.  On the other
   hand, directory technology and implementations have evolved
   significantly in the ensuing years: it may be time to revisit the
   assumptions, either in the context of the two- (or more) level
   mechanism contemplated by the rest of this document or, even more
   radically, as a path toward a DNS replacement.

1.3 The Web and User-visible Domain Names

   From the standpoint of the integrity of the domain name system -- and
   scaling of the Internet, including optimal accessibility to content
   -- the web design decision to use "A record" domain names directly in
   URLs, rather than some system of indirection, has proven to be a
   serious mistake in several respects.  Convenience of typing, and the
   desire to make domain names out of easily-remembered product names,
   has led to a flattening of the DNS, with many people now perceiving
   that second-level names under COM (or in some countries, second- or
   third-level names under the relevant ccTLD) are all that is
   meaningful.  This perception has been reinforced by some domain name
   registrars [REGISTRAR] who have been anxious to "sell" additional
   names.  And, of course, the perception that one needed a second-level
   (or even top-level) domain per product, rather than having names
   associated with a (usually organizational) collection of network
   resources, has led to a rapid acceleration in the number of names
   being registered.  That acceleration has, in turn, clearly benefited
   registrars charging on a per-name basis, "cybersquatters", and others
   in the business of "selling" names, but it has not obviously
   benefited the Internet as a whole.

   This emphasis on second-level domain names has also created a problem
   for the trademark community.  Since the Internet is international,
   and names are being populated in a flat and unqualified space,
   similarly-named entities are in conflict even if there would
   ordinarily be no chance of confusing them in the marketplace.  The
   problem appears to be unsolvable except by a choice between draconian
   measures.  These might include significant changes to the legislation
   and conventions that govern disputes over "names" and "marks".  Or



Klensin                      Informational                      [Page 6]
RFC 3467          Role of the Domain Name System (DNS)     February 2003


   they might result in a situation in which the "rights" to a name are
   typically not settled using the subtle and traditional product (or
   industry) type and geopolitical scope rules of the trademark system.
   Instead they have depended largely on political or economic power,
   e.g., the organization with the greatest resources to invest in
   defending (or attacking) names will ultimately win out.  The latter
   raises not only important issues of equity, but also the risk of
   backlash as the numerous small players are forced to relinquish names
   they find attractive and to adopt less-desirable naming conventions.

   Independent of these sociopolitical problems, content distribution
   issues have made it clear that it should be possible for an
   organization to have copies of data it wishes to make available
   distributed around the network, with a user who asks for the
   information by name getting the topologically-closest copy.  This is
   not possible with simple, as-designed, use of the DNS: DNS names
   identify target resources or, in the case of email "MX" records, a
   preferentially-ordered list of resources "closest" to a target (not
   to the source/user).  Several technologies (and, in some cases,
   corresponding business models) have arisen to work around these
   problems, including intercepting and altering DNS requests so as to
   point to other locations.

   Additional implications are still being discovered and evaluated.

   Approaches that involve interception of DNS queries and rewriting of
   DNS names (or otherwise altering the resolution process based on the
   topological location of the user) seem, however, to risk disrupting
   end-to-end applications in the general case and raise many of the
   issues discussed by the IAB in [IAB-OPES].  These problems occur even
   if the rewriting machinery is accompanied by additional workarounds
   for particular applications.  For example, security associations and
   applications that need to identify "the same host" often run into
   problems if DNS names or other references are changed in the network
   without participation of the applications that are trying to invoke
   the associated services.

1.4 Internet Applications Protocols and Their Evolution

   At the applications level, few of the protocols in active,
   widespread, use on the Internet reflect either contemporary knowledge
   in computer science or human factors or experience accumulated
   through deployment and use.  Instead, protocols tend to be deployed
   at a just-past-prototype level, typically including the types of
   expedient compromises typical with prototypes.  If they prove useful,
   the nature of the network permits very rapid dissemination (i.e.,
   they fill a vacuum, even if a vacuum that no one previously knew
   existed).  But, once the vacuum is filled, the installed base



Klensin                      Informational                      [Page 7]
RFC 3467          Role of the Domain Name System (DNS)     February 2003


   provides its own inertia: unless the design is so seriously faulty as
   to prevent effective use (or there is a widely-perceived sense of
   impending disaster unless the protocol is replaced), future
   developments must maintain backward compatibility and workarounds for
   problematic characteristics rather than benefiting from redesign in
   the light of experience.  Applications that are "almost good enough"
   prevent development and deployment of high-quality replacements.

   The DNS is both an illustration of, and an exception to, parts of
   this pessimistic interpretation. It was a second-generation
   development, with the host table system being seen as at the end of
   its useful life.  There was a serious attempt made to reflect the
   computing state of the art at the time.  However, deployment was much
   slower than expected (and very painful for many sites) and some fixed
   (although relaxed several times) deadlines from a central network
   administration were necessary for deployment to occur at all.
   Replacing it now, in order to add functionality, while it continues
   to perform its core functions at least reasonably well, would
   presumably be extremely difficult.

   There are many, perhaps obvious, examples of this.  Despite many
   known deficiencies and weaknesses of definition, the "finger" and
   "whois" [WHOIS] protocols have not been replaced (despite many
   efforts to update or replace the latter [WHOIS-UPDATE]).  The Telnet
   protocol and its many options drove out the SUPDUP [RFC734] one,
   which was arguably much better designed for a diverse collection of
   network hosts.  A number of efforts to replace the email or file
   transfer protocols with models which their advocates considered much
   better have failed.  And, more recently and below the applications
   level, there is some reason to believe that this resistance to change
   has been one of the factors impeding IPv6 deployment.

2. Signs of DNS Overloading

   Parts of the historical discussion above identify areas in which the
   DNS has become overloaded (semantically if not in the mechanical
   ability to resolve names).  Despite this overloading, it appears that
   DNS performance and reliability are still within an acceptable range:
   there is little evidence of serious performance degradation.  Recent
   proposals and mechanisms to better respond to overloading and scaling
   issues have all focused on patching or working around limitations
   that develop when the DNS is utilized for out-of-design functions,
   rather than on dramatic rethinking of either DNS design or those
   uses.  The number of these issues that have arisen at much the same
   time may argue for just that type of rethinking, and not just for
   adding complexity and attempting to incrementally alter the design
   (see, for example, the discussion of simplicity in section 2 of
   [RFC3439]).



Klensin                      Informational                      [Page 8]
RFC 3467          Role of the Domain Name System (DNS)     February 2003


   For example:

   o  While technical approaches such as larger and higher-powered
      servers and more bandwidth, and legal/political mechanisms such as
      dispute resolution policies, have arguably kept the problems from
      becoming critical, the DNS has not proven adequately responsive to
      business and individual needs to describe or identify things (such
      as product names and names of individuals) other than strict
      network resources.

   o  While stacks have been modified to better handle multiple
      addresses on a physical interface and some protocols have been
      extended to include DNS names for determining context, the DNS
      does not deal especially well with many names associated with a
      given host (e.g., web hosting facilities with multiple domains on
      a server).

   o  Efforts to add names deriving from languages or character sets
      based on other than simple ASCII and English-like names (see
      below), or even to utilize complex company or product names
      without the use of hierarchy, have created apparent requirements
      for names (labels) that are over 63 octets long.  This requirement
      will undoubtedly increase over time; while there are workarounds
      to accommodate longer names, they impose their own restrictions
      and cause their own problems.

   o  Increasing commercialization of the Internet, and visibility of
      domain names that are assumed to match names of companies or
      products, has turned the DNS and DNS names into a trademark
      battleground.  The traditional trademark system in (at least) most
      countries makes careful distinctions about fields of
      applicability.  When the space is flattened, without
      differentiation by either geography or industry sector, not only
      are there likely conflicts between "Joe's Pizza" (of Boston) and
      "Joe's Pizza" (of San Francisco) but between both and "Joe's Auto
      Repair" (of Los Angeles).  All three would like to control
      "Joes.com" (and would prefer, if it were permitted by DNS naming
      rules, to also spell it as "Joe's.com" and have both resolve the
      same way) and may claim trademark rights to do so, even though
      conflict or confusion would not occur with traditional trademark
      principles.

   o  Many organizations wish to have different web sites under the same
      URL and domain name.  Sometimes this is to create local variations
      -- the Widget Company might want to present different material to
      a UK user relative to a US one -- and sometimes it is to provide
      higher performance by supplying information from the server
      topologically closest to the user.  If the name resolution



Klensin                      Informational                      [Page 9]
RFC 3467          Role of the Domain Name System (DNS)     February 2003


      mechanism is expected to provide this functionality, there are
      three possible models (which might be combined):

      -  supply information about multiple sites (or locations or
         references).  Those sites would, in turn, provide information
         associated with the name and sufficient site-specific
         attributes to permit the application to make a sensible choice
         of destination, or

      -  accept client-site attributes and utilize them in the search
         process, or

      -  return different answers based on the location or identity of
         the requestor.

   While there are some tricks that can provide partial simulations of
   these types of function, DNS responses cannot be reliably conditioned
   in this way.

   These, and similar, issues of performance or content choices can, of
   course, be thought of as not involving the DNS at all.  For example,
   the commonly-cited alternate approach of coupling these issues to
   HTTP content negotiation (cf. [RFC2295]), requires that an HTTP
   connection first be opened to some "common" or "primary" host so that
   preferences can be negotiated and then the client redirected or sent
   alternate data.  At least from the standpoint of improving
   performance by accessing a "closer" location, both initially and
   thereafter, this approach sacrifices the desired result before the
   client initiates any action.  It could even be argued that some of
   the characteristics of common content negotiation approaches are
   workarounds for the non-optimal use of the DNS in web URLs.

   o  Many existing and proposed systems for "finding things on the
      Internet" require a true search capability in which near matches
      can be reported to the user (or to some user agent with an
      appropriate rule-set) and to which queries may be ambiguous or
      fuzzy.  The DNS, by contrast, can accommodate only one set of
      (quite rigid) matching rules.  Proposals to permit different rules
      in different localities (e.g., matching rules that are TLD- or
      zone-specific) help to identify the problem.  But they cannot be
      applied directly to the DNS without either abandoning the desired
      level of flexibility or isolating different parts of the Internet
      from each other (or both).  Fuzzy or ambiguous searches are
      desirable for resolution of names that might have spelling
      variations and for names that can be resolved into different sets
      of glyphs depending on context.  Especially when
      internationalization is considered, variant name problems go
      beyond simple differences in representation of a character or



Klensin                      Informational                     [Page 10]
RFC 3467          Role of the Domain Name System (DNS)     February 2003


      ordering of a string.  Instead, avoiding user astonishment and
      confusion requires consideration of relationships such as
      languages that can be written with different alphabets, Kanji-
      Hiragana relationships, Simplified and Traditional Chinese, etc.
      See [Seng] for a discussion and suggestions for addressing a
      subset of these issues in the context of characters based on
      Chinese ones.  But that document essentially illustrates the
      difficulty of providing the type of flexible matching that would
      be anticipated by users; instead, it tries to protect against the
      worst types of confusion (and opportunities for fraud).

   o  The historical DNS, and applications that make assumptions about
      how it works, impose significant risk (or forces technical kludges
      and consequent odd restrictions), when one considers adding
      mechanisms for use with various multi-character-set and
      multilingual "internationalization" systems.  See the IAB's
      discussion of some of these issues [RFC2825] for more information.

   o  In order to provide proper functionality to the Internet, the DNS
      must have a single unique root (the IAB provides more discussion
      of this issue [RFC2826]).  There are many desires for local
      treatment of names or character sets that cannot be accommodated
      without either multiple roots (e.g., a separate root for
      multilingual names, proposed at various times by MINC [MINC] and
      others), or mechanisms that would have similar effects in terms of
      Internet fragmentation and isolation.

   o  For some purposes, it is desirable to be able to search not only
      an index entry (labels or fully-qualified names in the DNS case),
      but their values or targets (DNS data).  One might, for example,
      want to locate all of the host (and virtual host) names which
      cause mail to be directed to a given server via MX records.  The
      DNS does not support this capability (see the discussion in
      [IQUERY]) and it can be simulated only by extracting all of the
      relevant records (perhaps by zone transfer if the source permits
      doing so, but that permission is becoming less frequently
      available) and then searching a file built from those records.

   o  Finally, as additional types of personal or identifying
      information are added to the DNS, issues arise with protection of
      that information.  There are increasing calls to make different
      information available based on the credentials and authorization
      of the source of the inquiry.  As with information keyed to site
      locations or proximity (as discussed above), the DNS protocols
      make providing these differentiated services quite difficult if
      not impossible.





Klensin                      Informational                     [Page 11]
RFC 3467          Role of the Domain Name System (DNS)     February 2003


   In each of these cases, it is, or might be, possible to devise ways
   to trick the DNS system into supporting mechanisms that were not
   designed into it.  Several ingenious solutions have been proposed in
   many of these areas already, and some have been deployed into the
   marketplace with some success.  But the price of each of these
   changes is added complexity and, with it, added risk of unexpected
   and destabilizing problems.

   Several of the above problems are addressed well by a good directory
   system (supported by the LDAP protocol or some protocol more
   precisely suited to these specific applications) or searching
   environment (such as common web search engines) although not by the
   DNS.  Given the difficulty of deploying new applications discussed
   above, an important question is whether the tricks and kludges are
   bad enough, or will become bad enough as usage grows, that new
   solutions are needed and can be deployed.

3. Searching, Directories, and the DNS

3.1 Overview

   The constraints of the DNS and the discussion above suggest the
   introduction of an intermediate protocol mechanism, referred to below
   as a "search layer" or "searchable system".  The terms "directory"
   and "directory system" are used interchangeably with "searchable
   system" in this document, although the latter is far more precise.
   Search layer proposals would use a two (or more) stage lookup, not
   unlike several of the proposals for internationalized names in the
   DNS (see section 4), but all operations but the final one would
   involve searching other systems, rather than looking up identifiers
   in the DNS itself.  As explained below, this would permit relaxation
   of several constraints, leading to a more capable and comprehensive
   overall system.

   Ultimately, many of the issues with domain names arise as the result
   of efforts to use the DNS as a directory.  While, at the time this
   document was written, sufficient pressure or demand had not occurred
   to justify a change, it was already quite clear that, as a directory
   system, the DNS is a good deal less than ideal.  This document
   suggests that there actually is a requirement for a directory system,
   and that the right solution to a searchable system requirement is a
   searchable system, not a series of DNS patches, kludges, or
   workarounds.








Klensin                      Informational                     [Page 12]
RFC 3467          Role of the Domain Name System (DNS)     February 2003


   The following points illustrate particular aspects of this
   conclusion.

   o  A directory system would not require imposition of particular
      length limits on names.

   o  A directory system could permit explicit association of
      attributes, e.g., language and country, with a name, without
      having to utilize trick encodings to incorporate that information
      in DNS labels (or creating artificial hierarchy for doing so).

   o  There is considerable experience (albeit not much of it very
      successful) in doing fuzzy and "sonex" (similar-sounding) matching
      in directory systems.  Moreover, it is plausible to think about
      different matching rules for different areas and sets of names so
      that these can be adapted to local cultural requirements.
      Specifically, it might be possible to have a single form of a name
      in a directory, but to have great flexibility about what queries
      matched that name (and even have different variations in different
      areas).  Of course, the more flexibility that a system provides,
      the greater the possibility of real or imagined trademark
      conflicts.  But the opportunity would exist to design a directory
      structure that dealt with those issues in an intelligent way,
      while DNS constraints almost certainly make a general and
      equitable DNS-only solution impossible.

   o  If a directory system is used to translate to DNS names, and then
      DNS names are looked up in the normal fashion, it may be possible
      to relax several of the constraints that have been traditional
      (and perhaps necessary) with the DNS.  For example, reverse-
      mapping of addresses to directory names may not be a requirement
      even if mapping of addresses to DNS names continues to be, since
      the DNS name(s) would (continue to) uniquely identify the host.

   o  Solutions to multilingual transcription problems that are common
      in "normal life" (e.g., two-sided business cards to be sure that
      recipients trying to contact a person can access romanized
      spellings and numbers if the original language is not
      comprehensible to them) can be easily handled in a directory
      system by inserting both sets of entries.

   o  A directory system could be designed that would return, not a
      single name, but a set of names paired with network-locational
      information or other context-establishing attributes.  This type
      of information might be of considerable use in resolving the
      "nearest (or best) server for a particular named resource"





Klensin                      Informational                     [Page 13]
RFC 3467          Role of the Domain Name System (DNS)     February 2003


      problems that are a significant concern for organizations hosting
      web and other sites that are accessed from a wide range of
      locations and subnets.

   o  Names bound to countries and languages might help to manage
      trademark realities, while, as discussed in section 1.3 above, use
      of the DNS in trademark-significant contexts tends to require
      worldwide "flattening" of the trademark system.

   Many of these issues are a consequence of another property of the
   DNS:  names must be unique across the Internet.  The need to have a
   system of unique identifiers is fairly obvious (see [RFC2826]).
   However, if that requirement were to be eliminated in a search or
   directory system that was visible to users instead of the DNS, many
   difficult problems -- of both an engineering and a policy nature --
   would be likely to vanish.

3.2 Some Details and Comments

   Almost any internationalization proposal for names that are in, or
   map into, the DNS will require changing DNS resolver API calls
   ("gethostbyname" or equivalent), or adding some pre-resolution
   preparation mechanism, in almost all Internet applications -- whether
   to cause the API to take a different character set (no matter how it
   is then mapped into the bits used in the DNS or another system), to
   accept or return more arguments with qualifying or identifying
   information, or otherwise.  Once applications must be opened to make
   such changes, it is a relatively small matter to switch from calling
   into the DNS to calling a directory service and then the DNS (in many
   situations, both actions could be accomplished in a single API call).

   A directory approach can be consistent both with "flat" models and
   multi-attribute ones.  The DNS requires strict hierarchies, limiting
   its ability to differentiate among names by their properties.  By
   contrast, modern directories can utilize independently-searched
   attributes and other structured schema to provide flexibilities not
   present in a strictly hierarchical system.

   There is a strong historical argument for a single directory
   structure (implying a need for mechanisms for registration,
   delegation, etc.).  But a single structure is not a strict
   requirement, especially if in-depth case analysis and design work
   leads to the conclusion that reverse-mapping to directory names is
   not a requirement (see section 5).  If a single structure is not
   needed, then, unlike the DNS, there would be no requirement for a
   global organization to authorize or delegate operation of portions of
   the structure.




Klensin                      Informational                     [Page 14]
RFC 3467          Role of the Domain Name System (DNS)     February 2003


   The "no single structure" concept could be taken further by moving
   away from simple "names" in favor of, e.g., multiattribute,
   multihierarchical, faceted systems in which most of the facets use
   restricted vocabularies.  (These terms are fairly standard in the
   information retrieval and classification system literature, see,
   e.g., [IS5127].)  Such systems could be designed to avoid the need
   for procedures to ensure uniqueness across, or even within, providers
   and databases of the faceted entities for which the search is to be
   performed.  (See [DNS-Search] for further discussion.)

   While the discussion above includes very general comments about
   attributes, it appears that only a very small number of attributes
   would be needed.  The list would almost certainly include country and
   language for internationalization purposes.  It might require
   "charset" if we cannot agree on a character set and encoding,
   although there are strong arguments for simply using ISO 10646 (also
   known as Unicode or "UCS" (for Universal Character Set) [UNICODE],
   [IS10646] coding in interchange.  Trademark issues might motivate
   "commercial" and "non-commercial" (or other) attributes if they would
   be helpful in bypassing trademark problems.  And applications to
   resource location, such as those contemplated for Uniform Resource
   Identifiers (URIs) [RFC2396, RFC3305] or the Service Location
   Protocol [RFC2608], might argue for a few other attributes (as
   outlined above).

4.  Internationalization

   Much of the thinking underlying this document was driven by
   considerations of internationalizing the DNS or, more specifically,
   providing access to the functions of the DNS from languages and
   naming systems that cannot be accurately expressed in the traditional
   DNS subset of ASCII.  Much of the relevant work was done in the
   IETF's "Internationalized Domain Names" Working Group (IDN-WG),
   although this document also draws on extensive parallel discussions
   in other forums.  This section contains an evaluation of what was
   learned as an "internationalized DNS" or "multilingual DNS" was
   explored and suggests future steps based on that evaluation.

   When the IDN-WG was initiated, it was obvious to several of the
   participants that its first important task was an undocumented one:
   to increase the understanding of the complexities of the problem
   sufficiently that naive solutions could be rejected and people could
   go to work on the harder problems.  The IDN-WG clearly accomplished
   that task. The beliefs that the problems were simple, and in the
   corresponding simplistic approaches and their promises of quick and
   painless deployment, effectively disappeared as the WG's efforts
   matured.




Klensin                      Informational                     [Page 15]
RFC 3467          Role of the Domain Name System (DNS)     February 2003


   Some of the lessons learned from increased understanding and the
   dissipation of naive beliefs should be taken as cautions by the wider
   community: the problems are not simple. Specifically, extracting
   small elements for solution rather than looking at whole systems, may
   result in obscuring the problems but not solving any problem that is
   worth the trouble.

4.1 ASCII Isn't Just Because of English

   The hostname rules chosen in the mid-70s weren't just "ASCII because
   English uses ASCII", although that was a starting point.  We have
   discovered that almost every other script (and even ASCII if we
   permit the rest of the characters specified in the ISO 646
   International Reference Version) is more complex than hostname-
   restricted-ASCII (the "LDH" form, see section 1.1).  And ASCII isn't
   sufficient to completely represent English -- there are several words
   in the language that are correctly spelled only with characters or
   diacritical marks that do not appear in ASCII.  With a broader
   selection of scripts, in some examples, case mapping works from one
   case to the other but is not reversible.  In others, there are
   conventions about alternate ways to represent characters (in the
   language, not [only] in character coding) that work most of the time,
   but not always.  And there are issues in coding, with Unicode/10646
   providing different ways to represent the same character
   ("character", rather than "glyph", is used deliberately here).  And,
   in still others, there are questions as to whether two glyphs
   "match", which may be a distance-function question, not one with a
   binary answer.  The IETF approach to these problems is to require
   pre-matching canonicalization (see the "stringprep" discussion
   below).

   The IETF has resisted the temptations to either try to specify an
   entirely new coded character set, or to pick and choose Unicode/10646
   characters on a per-character basis rather than by using well-defined
   blocks.  While it may appear that a character set designed to meet
   Internet-specific needs would be very attractive, the IETF has never
   had the expertise, resources, and representation from critically-
   important communities to actually take on that job.  Perhaps more
   important, a new effort might have chosen to make some of the many
   complex tradeoffs differently than the Unicode committee did,
   producing a code with somewhat different characteristics.  But there
   is no evidence that doing so would produce a code with fewer problems
   and side-effects.  It is much more likely that making tradeoffs
   differently would simply result in a different set of problems, which
   would be equally or more difficult.






Klensin                      Informational                     [Page 16]
RFC 3467          Role of the Domain Name System (DNS)     February 2003


4.2 The "ASCII Encoding" Approaches

   While the DNS can handle arbitrary binary strings without known
   internal problems (see [RFC2181]), some restrictions are imposed by
   the requirement that text be interpreted in a case-independent way
   ([RFC1034], [RFC1035]).  More important, most internet applications
   assume the hostname-restricted "LDH" syntax that is specified in the
   host table RFCs and as "prudent" in RFC 1035.  If those assumptions
   are not met, many conforming implementations of those applications
   may exhibit behavior that would surprise implementors and users.  To
   avoid these potential problems, IETF internationalization work has
   focused on "ASCII-Compatible Encodings" (ACE).  These encodings
   preserve the LDH conventions in the DNS itself.  Implementations of
   applications that have not been upgraded utilize the encoded forms,
   while newer ones can be written to recognize the special codings and
   map them into non-ASCII characters. These approaches are, however,
   not problem-free even if human interface issues are ignored.  Among
   other issues, they rely on what is ultimately a heuristic to
   determine whether a DNS label is to be considered as an
   internationalized name (i.e., encoded Unicode) or interpreted as an
   actual LDH name in its own right.  And, while all determinations of
   whether a particular query matches a stored object are traditionally
   made by DNS servers, the ACE systems, when combined with the
   complexities of international scripts and names, require that much of
   the matching work be separated into a separate, client-side,
   canonicalization or "preparation" process before the DNS matching
   mechanisms are invoked [STRINGPREP].

4.3 "Stringprep" and Its Complexities

   As outlined above, the model for avoiding problems associated with
   putting non-ASCII names in the DNS and elsewhere evolved into the
   principle that strings are to be placed into the DNS only after being
   passed through a string preparation function that eliminates or
   rejects spurious character codes, maps some characters onto others,
   performs some sequence canonicalization, and generally creates forms
   that can be accurately compared.  The impact of this process on
   hostname-restricted ASCII (i.e., "LDH") strings is trivial and
   essentially adds only overhead.  For other scripts, the impact is, of
   necessity, quite significant.

   Although the general notion underlying stringprep is simple, the many
   details are quite subtle and the associated tradeoffs are complex. A
   design team worked on it for months, with considerable effort placed
   into clarifying and fine-tuning the protocol and tables.  Despite
   general agreement that the IETF would avoid getting into the business
   of defining character sets, character codings, and the associated
   conventions, the group several times considered and rejected special



Klensin                      Informational                     [Page 17]
RFC 3467          Role of the Domain Name System (DNS)     February 2003


   treatment of code positions to more nearly match the distinctions
   made by Unicode with user perceptions about similarities and
   differences between characters.  But there were intense temptations
   (and pressures) to incorporate language-specific or country-specific
   rules.  Those temptations, even when resisted, were indicative of
   parts of the ongoing controversy or of the basic unsuitability of the
   DNS for fully internationalized names that are visible,
   comprehensible, and predictable for end users.

   There have also been controversies about how far one should go in
   these processes of preparation and transformation and, ultimately,
   about the validity of various analogies.  For example, each of the
   following operations has been claimed to be similar to case-mapping
   in ASCII:

   o  stripping of vowels in Arabic or Hebrew

   o  matching of "look-alike" characters such as upper-case Alpha in
      Greek and upper-case A in Roman-based alphabets

   o  matching of Traditional and Simplified Chinese characters that
      represent the same words,

   o  matching of Serbo-Croatian words whether written in Roman-derived
      or Cyrillic characters

   A decision to support any of these operations would have implications
   for other scripts or languages and would increase the overall
   complexity of the process.  For example, unless language-specific
   information is somehow available, performing matching between
   Traditional and Simplified Chinese has impacts on Japanese and Korean
   uses of the same "traditional" characters (e.g., it would not be
   appropriate to map Kanji into Simplified Chinese).

   Even were the IDN-WG's other work to have been abandoned completely
   or if it were to fail in the marketplace, the stringprep and nameprep
   work will continue to be extremely useful, both in identifying issues
   and problem code points and in providing a reasonable set of basic
   rules.  Where problems remain, they are arguably not with nameprep,
   but with the DNS-imposed requirement that its results, as with all
   other parts of the matching and comparison process, yield a binary
   "match or no match" answer, rather than, e.g., a value on a
   similarity scale that can be evaluated by the user or by user-driven
   heuristic functions.







Klensin                      Informational                     [Page 18]
RFC 3467          Role of the Domain Name System (DNS)     February 2003


4.4 The Unicode Stability Problem

   ISO 10646 basically defines only code points, and not rules for using
   or comparing the characters.  This is part of a long-standing
   tradition with the work of what is now ISO/IEC JTC1/SC2: they have
   performed code point assignments and have typically treated the ways
   in which characters are used as beyond their scope.  Consequently,
   they have not dealt effectively with the broader range of
   internationalization issues.  By contrast, the Unicode Technical
   Committee (UTC) has defined, in annexes and technical reports (see,
   e.g., [UTR15]), some additional rules for canonicalization and
   comparison.  Many of those rules and conventions have been factored
   into the "stringprep" and "nameprep" work, but it is not
   straightforward to make or define them in a fashion that is
   sufficiently precise and permanent to be relied on by the DNS.

   Perhaps more important, the discussions leading to nameprep also
   identified several areas in which the UTC definitions are inadequate,
   at least without additional information, to make matching precise and
   unambiguous.  In some of these cases, the Unicode Standard permits
   several alternate approaches, none of which are an exact and obvious
   match to DNS needs.  That has left these sensitive choices up to
   IETF, which lacks sufficient in-depth expertise, much less any
   mechanism for deciding to optimize one language at the expense of
   another.

   For example, it is tempting to define some rules on the basis of
   membership in particular scripts, or for punctuation characters, but
   there is no precise definition of what characters belong to which
   script or which ones are, or are not, punctuation.  The existence of
   these areas of vagueness raises two issues: whether trying to do
   precise matching at the character set level is actually possible
   (addressed below) and whether driving toward more precision could
   create issues that cause instability in the implementation and
   resolution models for the DNS.

   The Unicode definition also evolves.  Version 3.2 appeared shortly
   after work on this document was initiated.  It added some characters
   and functionality and included a few minor incompatible code point
   changes.  IETF has secured an agreement about constraints on future
   changes, but it remains to be seen how that agreement will work out
   in practice.  The prognosis actually appears poor at this stage,
   since UTC chose to ballot a recent possible change which should have
   been prohibited by the agreement (the outcome of the ballot is not
   relevant, only that the ballot was issued rather than having the
   result be a foregone conclusion).  However, some members of the
   community consider some of the changes between Unicode 3.0 and 3.1
   and between 3.1 and 3.2, as well as this recent ballot, to be



Klensin                      Informational                     [Page 19]
RFC 3467          Role of the Domain Name System (DNS)     February 2003


   evidence of instability and that these instabilities are better
   handled in a system that can be more flexible about handling of
   characters, scripts, and ancillary information than the DNS.

   In addition, because the systems implications of internationalization
   are considered out of scope in SC2, ISO/IEC JTC1 has assigned some of
   those issues to its SC22/WG20 (the Internationalization working group
   within the subcommittee that deals with programming languages,
   systems, and environments).  WG20 has historically dealt with
   internationalization issues thoughtfully and in depth, but its status
   has several times been in doubt in recent years.  However, assignment
   of these matters to WG20 increases the risk of eventual ISO
   internationalization standards that specify different behavior than
   the UTC specifications.

4.5 Audiences, End Users, and the User Interface Problem

   Part of what has "caused" the DNS internationalization problem, as
   well as the DNS trademark problem and several others, is that we have
   stopped thinking about "identifiers for objects" -- which normal
   people are not expected to see -- and started thinking about "names"
   -- strings that are expected not only to be readable, but to have
   linguistically-sensible and culturally-dependent meaning to non-
   specialist users.

   Within the IETF, the IDN-WG, and sometimes other groups, avoided
   addressing the implications of that transition by taking "outside our
   scope -- someone else's problem" approaches or by suggesting that
   people will just become accustomed to whatever conventions are
   adopted.  The realities of user and vendor behavior suggest that
   these approaches will not serve the Internet community well in the
   long term:

   o  If we want to make it a problem in a different part of the user
      interface structure, we need to figure out where it goes in order
      to have proof of concept of our solution.  Unlike vendors whose
      sole [business] model is the selling or registering of names, the
      IETF must produce solutions that actually work, in the
      applications context as seen by the end user.

   o  The principle that "they will get used to our conventions and
      adapt" is fine if we are writing rules for programming languages
      or an API.  But the conventions under discussion are not part of a
      semi-mathematical system, they are deeply ingrained in culture.
      No matter how often an English-speaking American is told that the
      Internet requires that the correct spelling of "colour" be used,
      he or she isn't going to be convinced. Getting a French-speaker in
      Lyon to use exactly the same lexical conventions as a French-



Klensin                      Informational                     [Page 20]
RFC 3467          Role of the Domain Name System (DNS)     February 2003


      speaker in Quebec in order to accommodate the decisions of the
      IETF or of a registrar or registry is just not likely.  "Montreal"
      is either a misspelling or an anglicization of a similar word with
      an acute accent mark over the "e" (i.e., using the Unicode
      character U+00E9 or one of its equivalents). But global agreement
      on a rule that will determine whether the two forms should match
      -- and that won't astonish end users and speakers of one language
      or the other -- is as unlikely as agreement on whether
      "misspelling" or "anglicization" is the greater travesty.

   More generally, it is not clear that the outcome of any conceivable
   nameprep-like process is going to be good enough for practical,
   user-level, use.  In the use of human languages by humans, there are
   many cases in which things that do not match are nonetheless
   interpreted as matching.  The Norwegian/Danish character that appears
   in U+00F8 (visually, a lower case 'o' overstruck with a forward
   slash) and the "o-umlaut" German character that appears in U+00F6
   (visually, a lower case 'o' with diaeresis (or umlaut)) are clearly
   different and no matching program should yield an "equal" comparison.
   But they are more similar to each other than either of them is to,
   e.g., "e".  Humans are able to mentally make the correction in
   context, and do so easily, and they can be surprised if computers
   cannot do so.  Worse, there is a Swedish character whose appearance
   is identical to the German o-umlaut, and which shares code point
   U+00F6, but that, if the languages are known and the sounds of the
   letters or meanings of words including the character are considered,
   actually should match the Norwegian/Danish use of U+00F8.

   This text uses examples in Roman scripts because it is being written
   in English and those examples are relatively easy to render.  But one
   of the important lessons of the discussions about domain name
   internationalization in recent years is that problems similar to
   those described above exist in almost every language and script.
   Each one has its idiosyncrasies, and each set of idiosyncracies is
   tied to common usage and cultural issues that are very familiar in
   the relevant group, and often deeply held as cultural values.  As
   long as a schoolchild in the US can get a bad grade on a spelling
   test for using a perfectly valid British spelling, or one in France
   or Germany can get a poor grade for leaving off a diacritical mark,
   there are issues with the relevant language.  Similarly, if children
   in Egypt or Israel are taught that it is acceptable to write a word
   with or without vowels or stress marks, but that, if those marks are
   included, they must be the correct ones, or a user in Korea is
   potentially offended or astonished by out-of-order sequences of Jamo,
   systems based on character-at-a-time processing and simplistic
   matching, with no contextual information, are not going to satisfy
   user needs.




Klensin                      Informational                     [Page 21]
RFC 3467          Role of the Domain Name System (DNS)     February 2003


   Users are demanding solutions that deal with language and culture.
   Systems of identifier symbol-strings that serve specialists or
   computers are, at best, a solution to a rather different (and, at the
   time this document was written, somewhat ill-defined), problem.  The
   recent efforts have made it ever more clear that, if we ignore the
   distinction between the user requirements and narrowly-defined
   identifiers, we are solving an insufficient problem.  And,
   conversely, the approaches that have been proposed to approximate
   solutions to the user requirement may be far more complex than simple
   identifiers require.

4.6 Business Cards and Other Natural Uses of Natural Languages

   Over the last few centuries, local conventions have been established
   in various parts of the world for dealing with multilingual
   situations.  It may be helpful to examine some of these.  For
   example, if one visits a country where the language is different from
   ones own, business cards are often printed on two sides, one side in
   each language.  The conventions are not completely consistent and the
   technique assumes that recipients will be tolerant. Translations of
   names or places are attempted in some situations and transliterations
   in others.  Since it is widely understood that exact translations or
   transliterations are often not possible, people typically smile at
   errors, appreciate the effort, and move on.

   The DNS situation differs from these practices in at least two ways.
   Since a global solution is required, the business card would need a
   number of sides approximating the number of languages in the world,
   which is probably impossible without violating laws of physics.  More
   important, the opportunities for tolerance don't exist:  the DNS
   requires a exact match or the lookup fails.

4.7 ASCII Encodings and the Roman Keyboard Assumption

   Part of the argument for ACE-based solutions is that they provide an
   escape for multilingual environments when applications have not been
   upgraded.  When an older application encounters an ACE-based name,
   the assumption is that the (admittedly ugly) ASCII-coded string will
   be displayed and can be typed in.  This argument is reasonable from
   the standpoint of mixtures of Roman-based alphabets, but may not be
   relevant if user-level systems and devices are involved that do not
   support the entry of Roman-based characters or which cannot
   conveniently render such characters.  Such systems are few in the
   world today, but the number can reasonably be expected to rise as the
   Internet is increasingly used by populations whose primary concern is
   with local issues, local information, and local languages.  It is,





Klensin                      Informational                     [Page 22]
RFC 3467          Role of the Domain Name System (DNS)     February 2003


   for example, fairly easy to imagine populations who use Arabic or
   Thai scripts and who do not have routine access to scripts or input
   devices based on Roman-derived alphabets.

4.8 Intra-DNS Approaches for "Multilingual Names"

   It appears, from the cases above and others, that none of the intra-
   DNS-based solutions for "multilingual names" are workable.  They rest
   on too many assumptions that do not appear to be feasible -- that
   people will adapt deeply-entrenched language habits to conventions
   laid down to make the lives of computers easy; that we can make
   "freeze it now, no need for changes in these areas" decisions about
   Unicode and nameprep; that ACE will smooth over applications
   problems, even in environments without the ability to key or render
   Roman-based glyphs (or where user experience is such that such glyphs
   cannot easily be distinguished from each other); that the Unicode
   Consortium will never decide to repair an error in a way that creates
   a risk of DNS incompatibility; that we can either deploy EDNS
   [RFC2671] or that long names are not really important; that Japanese
   and Chinese computer users (and others) will either give up their
   local or IS 2022-based character coding solutions (for which addition
   of a large fraction of a million new code points to Unicode is almost
   certainly a necessary, but probably not sufficient, condition) or
   build leakproof and completely accurate boundary conversion
   mechanisms; that out of band or contextual information will always be
   sufficient for the "map glyph onto script" problem; and so on.  In
   each case, it is likely that about 80% or 90% of cases will work
   satisfactorily, but it is unlikely that such partial solutions will
   be good enough.  For example, suppose someone can spell her name 90%
   correctly, or a company name is matched correctly 80% of the time but
   the other 20% of attempts identify a competitor: are either likely to
   be considered adequate?

5. Search-based Systems: The Key Controversies

   For many years, a common response to requirements to locate people or
   resources on the Internet has been to invoke the term "directory".
   While an in-depth analysis of the reasons would require a separate
   document, the history of failure of these invocations has given
   "directory" efforts a bad reputation.  The effort proposed here is
   different from those predecessors for several reasons, perhaps the
   most important of which is that it focuses on a fairly-well-
   understood set of problems and needs, rather than on finding uses for
   a particular technology.

   As suggested in some of the text above, it is an open question as to
   whether the needs of the community would be best served by a single
   (even if functionally, and perhaps administratively, distributed)



Klensin                      Informational                     [Page 23]
RFC 3467          Role of the Domain Name System (DNS)     February 2003


   directory with universal applicability, a single directory that
   supports locally-tailored search (and, most important, matching)
   functions, or multiple, locally-determined, directories.  Each has
   its attractions.  Any but the first would essentially prevent
   reverse-mapping (determination of the user-visible name of the host
   or resource from target information such as an address or DNS name).
   But reverse mapping has become less useful over the years --at least
   to users -- as more and more names have been associated with many
   host addresses and as CIDR [CIDR] has proven problematic for mapping
   smaller address blocks to meaningful names.

   Locally-tailored searches and mappings would permit national
   variations on interpretation of which strings matched which other
   ones, an arrangement that is especially important when different
   localities apply different rules to, e.g., matching of characters
   with and without diacriticals.  But, of course, this implies that a
   URL may evaluate properly or not depending on either settings on a
   client machine or the network connectivity of the user.  That is not,
   in general, a desirable situation, since it implies that users could
   not, in the general case, share URLs (or other host references) and
   that a particular user might not be able to carry references from one
   host or location to another.

   And, of course, completely separate directories would permit
   translation and transliteration functions to be embedded in the
   directory, giving much of the Internet a different appearance
   depending on which directory was chosen.  The attractions of this are
   obvious, but, unless things were very carefully designed to preserve
   uniqueness and precise identities at the right points (which may or
   may not be possible), such a system would have many of the
   difficulties associated with multiple DNS roots.

   Finally, a system of separate directories and databases, if coupled
   with removal of the DNS-imposed requirement for unique names, would
   largely eliminate the need for a single worldwide authority to manage
   the top of the naming hierarchy.

6.  Security Considerations

   The set of proposals implied by this document suggests an interesting
   set of security issues (i.e., nothing important is ever easy).  A
   directory system used for locating network resources would presumably
   need to be as carefully protected against unauthorized changes as the
   DNS itself.  There also might be new opportunities for problems in an
   arrangement involving two or more (sub)layers, especially if such a
   system were designed without central authority or uniqueness of
   names.  It is uncertain how much greater those risks would be as
   compared to a DNS lookup sequence that involved looking up one name,



Klensin                      Informational                     [Page 24]
RFC 3467          Role of the Domain Name System (DNS)     February 2003


   getting back information, and then doing additional lookups
   potentially in different subtrees.  That multistage lookup will often
   be the case with, e.g., NAPTR records [RFC 2915] unless additional
   restrictions are imposed.  But additional steps, systems, and
   databases almost certainly involve some additional risks of
   compromise.

7.  References

7.1 Normative References

   None

7.2 Explanatory and Informative References

   [Albitz]       Any of the editions of Albitz, P. and C. Liu, DNS and
                  BIND, O'Reilly and Associates, 1992, 1997, 1998, 2001.

   [ASCII]        American National Standards Institute (formerly United
                  States of America Standards Institute), X3.4, 1968,
                  "USA Code for Information Interchange". ANSI X3.4-1968
                  has been replaced by newer versions with slight
                  modifications, but the 1968 version remains definitive
                  for the Internet.  Some time after ASCII was first
                  formulated as a standard, ISO adopted international
                  standard 646, which uses ASCII as a base.  IS 646
                  actually contained two code tables: an "International
                  Reference Version" (often referenced as ISO 646-IRV)
                  which was essentially identical to the ASCII of the
                  time, and a "Basic Version" (ISO 646-BV), which
                  designates a number of character positions for
                  national use.

   [CIDR]         Fuller, V., Li, T., Yu, J. and K. Varadhan, "Classless
                  Inter-Domain Routing (CIDR): an Address Assignment and
                  Aggregation Strategy", RFC 1519, September 1993.

                  Eidnes, H., de Groot, G. and P. Vixie, "Classless IN-
                  ADDR.ARPA delegation", RFC 2317, March 1998.

   [COM-SIZE]     Size information supplied by Verisign Global Registry
                  Services (the zone administrator, or "registry
                  operator", for COM, see [REGISTRAR], below) to ICANN,
                  third quarter 2002.

   [DNS-Search]   Klensin, J., "A Search-based access model for the
                  DNS", Work in Progress.




Klensin                      Informational                     [Page 25]
RFC 3467          Role of the Domain Name System (DNS)     February 2003


   [FINGER]       Zimmerman, D., "The Finger User Information Protocol",
                  RFC 1288, December 1991.

                  Harrenstien, K., "NAME/FINGER Protocol", RFC 742,
                  December 1977.

   [IAB-OPES]     Floyd, S. and L. Daigle, "IAB Architectural and Policy
                  Considerations for Open Pluggable Edge Services", RFC
                  3238, January 2002.

   [IQUERY]       Lawrence, D., "Obsoleting IQUERY", RFC 3425, November
                  2002.

   [IS646]        ISO/IEC 646:1991 Information technology -- ISO 7-bit
                  coded character set for information interchange

   [IS10646]      ISO/IEC 10646-1:2000 Information technology --
                  Universal Multiple-Octet Coded Character Set (UCS) --
                  Part 1: Architecture and Basic Multilingual Plane and
                  ISO/IEC 10646-2:2001 Information technology --
                  Universal Multiple-Octet Coded Character Set (UCS) --
                  Part 2: Supplementary Planes

   [MINC]         The Multilingual Internet Names Consortium,
                  http://www.minc.org/ has been an early advocate for
                  the importance of expansion of DNS names to
                  accommodate non-ASCII characters.  Some of their
                  specific proposals, while helping people to understand
                  the problems better, were not compatible with the
                  design of the DNS.

   [NAPTR]        Mealling, M. and R. Daniel, "The Naming Authority
                  Pointer (NAPTR) DNS Resource Record", RFC 2915,
                  September 2000.

                  Mealling, M., "Dynamic Delegation Discovery System
                  (DDDS) Part One: The Comprehensive DDDS", RFC 3401,
                  October 2002.

                  Mealling, M., "Dynamic Delegation Discovery System
                  (DDDS) Part Two: The Algorithm", RFC 3402, October
                  2002.

                  Mealling, M., "Dynamic Delegation Discovery System
                  (DDDS) Part Three: The Domain Name System (DNS)
                  Database", RFC 3403, October 2002.





Klensin                      Informational                     [Page 26]
RFC 3467          Role of the Domain Name System (DNS)     February 2003


   [REGISTRAR]    In an early stage of the process that created the
                  Internet Corporation for Assigned Names and Numbers
                  (ICANN), a "Green Paper" was released by the US
                  Government.   That paper introduced new terminology
                  and some concepts not needed by traditional DNS
                  operations.  The term "registry" was applied to the
                  actual operator and database holder of a domain
                  (typically at the top level, since the Green Paper was
                  little concerned with anything else), while
                  organizations that marketed names and made them
                  available to "registrants" were known as "registrars".
                  In the classic DNS model, the function of "zone
                  administrator" encompassed both registry and registrar
                  roles, although that model did not anticipate a
                  commercial market in names.

   [RFC625]       Kudlick, M. and E. Feinler, "On-line hostnames
                  service", RFC 625, March 1974.

   [RFC734]       Crispin, M., "SUPDUP Protocol", RFC 734, October 1977.

   [RFC811]       Harrenstien, K., White, V. and E. Feinler, "Hostnames
                  Server", RFC 811, March 1982.

   [RFC819]       Su, Z. and J. Postel, "Domain naming convention for
                  Internet user applications", RFC 819, August 1982.

   [RFC830]       Su, Z., "Distributed system for Internet name
                  service", RFC 830, October 1982.

   [RFC882]       Mockapetris, P., "Domain names: Concepts and
                  facilities", RFC 882, November 1983.

   [RFC883]       Mockapetris, P., "Domain names: Implementation
                  specification", RFC 883, November 1983.

   [RFC952]       Harrenstien, K, Stahl, M. and E. Feinler, "DoD
                  Internet host table specification", RFC 952, October
                  1985.

   [RFC953]       Harrenstien, K., Stahl, M. and E. Feinler, "HOSTNAME
                  SERVER", RFC 953, October 1985.

   [RFC1034]      Mockapetris, P., "Domain names, Concepts and
                  facilities", STD 13, RFC 1034, November 1987.






Klensin                      Informational                     [Page 27]
RFC 3467          Role of the Domain Name System (DNS)     February 2003


   [RFC1035]      Mockapetris, P., "Domain names - implementation and
                  specification", STD 13, RFC 1035, November 1987.

   [RFC1591]      Postel, J., "Domain Name System Structure and
                  Delegation", RFC 1591, March 1994.

   [RFC2181]      Elz, R. and  R. Bush, "Clarifications to the DNS
                  Specification", RFC 2181, July 1997.

   [RFC2295]      Holtman, K. and A. Mutz, "Transparent Content
                  Negotiation in HTTP", RFC 2295, March 1998

   [RFC2396]      Berners-Lee, T., Fielding, R. and L. Masinter,
                  "Uniform Resource Identifiers (URI): Generic Syntax",
                  RFC 2396, August 1998.

   [RFC2608]      Guttman, E., Perkins, C., Veizades, J. and M. Day,
                  "Service Location Protocol, Version 2", RFC 2608, June
                  1999.

   [RFC2671]      Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC
                  2671, August 1999.

   [RFC2825]      IAB, Daigle, L., Ed., "A Tangled Web: Issues of I18N,
                  Domain Names, and the Other Internet protocols", RFC
                  2825, May 2000.

   [RFC2826]      IAB, "IAB Technical Comment on the Unique DNS Root",
                  RFC 2826, May 2000.

   [RFC2972]      Popp, N., Mealling, M., Masinter, L. and K. Sollins,
                  "Context and Goals for Common Name Resolution", RFC
                  2972, October 2000.

   [RFC3305]      Mealling, M. and R. Denenberg, Eds., "Report from the
                  Joint W3C/IETF URI Planning Interest Group: Uniform
                  Resource Identifiers (URIs), URLs, and Uniform
                  Resource Names (URNs):  Clarifications and
                  Recommendations", RFC 3305, August 2002.

   [RFC3439]      Bush, R. and D. Meyer, "Some Internet Architectural
                  Guidelines and Philosophy", RFC 3439, December 2002.

   [Seng]         Seng, J., et al., Eds., "Internationalized Domain
                  Names:  Registration and Administration Guideline for
                  Chinese, Japanese, and Korean", Work in Progress.





Klensin                      Informational                     [Page 28]
RFC 3467          Role of the Domain Name System (DNS)     February 2003


   [STRINGPREP]   Hoffman, P. and M. Blanchet, "Preparation of
                  Internationalized Strings (stringprep)", RFC 3454,
                  December 2002.

                  The particular profile used for placing
                  internationalized strings in the DNS is called
                  "nameprep", described in Hoffman, P. and M. Blanchet,
                  "Nameprep: A Stringprep Profile for Internationalized
                  Domain Names", Work in Progress.

   [TELNET]       Postel, J. and J. Reynolds, "Telnet Protocol
                  Specification", STD 8, RFC 854, May 1983.

                  Postel, J. and J. Reynolds, "Telnet Option
                  Specifications", STD 8, RFC 855, May 1983.

   [UNICODE]      The Unicode Consortium, The Unicode Standard, Version
                  3.0, Addison-Wesley: Reading, MA, 2000.  Update to
                  version 3.1, 2001.  Update to version 3.2, 2002.

   [UTR15]        Davis, M. and M. Duerst, "Unicode Standard Annex #15:
                  Unicode Normalization Forms", Unicode Consortium,
                  March 2002.  An integral part of The Unicode Standard,
                  Version 3.1.1.  Available at
                  (http://www.unicode.org/reports/tr15/tr15-21.html).

   [WHOIS]        Harrenstien, K, Stahl, M. and E. Feinler,
                  "NICNAME/WHOIS", RFC 954, October 1985.

   [WHOIS-UPDATE] Gargano, J. and K. Weiss, "Whois and Network
                  Information Lookup Service, Whois++", RFC 1834, August
                  1995.

                  Weider, C., Fullton, J. and S. Spero, "Architecture of
                  the Whois++ Index Service", RFC 1913, February 1996.

                  Williamson, S., Kosters, M., Blacka, D., Singh, J. and
                  K. Zeilstra, "Referral Whois (RWhois) Protocol V1.5",
                  RFC 2167, June 1997;

                  Daigle, L. and P. Faltstrom, "The
                  application/whoispp-query Content-Type", RFC 2957,
                  October 2000.

                  Daigle, L. and P. Falstrom, "The application/whoispp-
                  response Content-type", RFC 2958, October 2000.





Klensin                      Informational                     [Page 29]
RFC 3467          Role of the Domain Name System (DNS)     February 2003


   [X29]          International Telecommuncations Union, "Recommendation
                  X.29: Procedures for the exchange of control
                  information and user data between a Packet
                  Assembly/Disassembly (PAD) facility and a packet mode
                  DTE or another PAD", December 1997.

8. Acknowledgements

   Many people have contributed to versions of this document or the
   thinking that went into it.  The author would particularly like to
   thank Harald Alvestrand, Rob Austein, Bob Braden, Vinton Cerf, Matt
   Crawford, Leslie Daigle, Patrik Faltstrom, Eric A. Hall, Ted Hardie,
   Paul Hoffman, Erik Nordmark, and Zita Wenzel for making specific
   suggestions and/or challenging the assumptions and presentation of
   earlier versions and suggesting ways to improve them.

9. Author's Address

   John C. Klensin
   1770 Massachusetts Ave, #322
   Cambridge, MA 02140

   EMail: klensin+srch@jck.com

   A mailing list has been initiated for discussion of the topics
   discussed in this document, and closely-related issues, at
   ietf-irnss@lists.elistx.com.  See http://lists.elistx.com/archives/
   for subscription and archival information.























Klensin                      Informational                     [Page 30]
RFC 3467          Role of the Domain Name System (DNS)     February 2003


10. Full Copyright Statement

   Copyright (C) The Internet Society (2003).  All Rights Reserved.

   This document and translations of it may be copied and furnished to
   others, and derivative works that comment on or otherwise explain it
   or assist in its implementation may be prepared, copied, published
   and distributed, in whole or in part, without restriction of any
   kind, provided that the above copyright notice and this paragraph are
   included on all such copies and derivative works.  However, this
   document itself may not be modified in any way, such as by removing
   the copyright notice or references to the Internet Society or other
   Internet organizations, except as needed for the purpose of
   developing Internet standards in which case the procedures for
   copyrights defined in the Internet Standards process must be
   followed, or as required to translate it into languages other than
   English.

   The limited permissions granted above are perpetual and will not be
   revoked by the Internet Society or its successors or assigns.

   This document and the information contained herein is provided on an
   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Acknowledgement

   Funding for the RFC Editor function is currently provided by the
   Internet Society.



















Klensin                      Informational                     [Page 31]
  1. RFC 3467