SAC113 - SSAC Advisory on Private-Use TLDs

Warren Kumari
Greg Aaron
Joe Abley
Jaap Akkerhuis
Tim April
Lyman Chapin
kc claffy
Patrik Fältström
James Galvin
Cristian Hesselman
Geoff Huston
Merike Kaeo
Barry Leiba
John Levine
Danny McPherson
Russ Mundy
Rod Rasmussen
Mark Seiden
Suzanne Woolf
ICANN Security and Stability Advisory Committee (SSAC) Reports and Advisories(2020), pp. 27


In this document, the SSAC recommends the reservation of a DNS label that does not (and cannot) correspond to any current or future delegation from the root zone of the global DNS. This label can then serve as the top-level domain name (TLD) of a privately resolvable namespace that will not collide with the resolution of names delegated from the root zone. In order for this to work properly, this reserved private-use TLD must never be delegated in the global DNS root. Currently, many enterprises and device vendors make ad hoc use of TLDs that are not present in the root zone when they intend the name for private use only. This usage is uncoordinated and can cause harm to Internet users. The DNS has no explicit provision for internally-scoped names, and current advice is for the vendors or service providers to use a sub-domain of a public domain name for internal, or private use. Using sub-domains of registered public domain names is still the best practice to name internal resources. The SSAC concurs with this best practice, and encourages enterprises, device vendors, and others who require internally-scoped names to use sub-domains of registered public domain names whenever possible. However, this is not always feasible and there are legitimate use cases for private-use TLDs. The need for private-use identifiers is not unique for domain names, and a useful analogy can be drawn between the uses of private IP address space and those of a private-use TLD. Network operators use private IP address space to number resources not intended to be externally accessible, and private-use TLDs are used by network operators in a similar fashion. This document proposes reserving a string in a manner similar to the current use of private IP address space. A similar rationale can be used to reserve more strings in case the need arises. This document does not recommend a specific string for reservation. Instead, criteria are provided in Section 4.1 to guide the decision on which string to choose and assist the ICANN Board in making its determination. Four criteria are provided to help guide this decision and reasoning is provided for each. This advisory takes a pragmatic approach to an issue that the DNS allows by its design. Because of the decentralized nature of the DNS, there is no way to prevent ad hoc use of a TLD, rather than use of an explicitly reserved private string as this advisory recommends. Nevertheless, the SSAC believes that the reservation of a private string will help to reduce the ad hoc usage, provide greater predictability for network administrators and equipment vendors, and, over time, reduce erroneous queries to root servers.