Tor's .onion domain approved by IETF/IANA

We're bad at marketing

We can admit it, marketing is not our strong suit. Our strength iswriting the kind of articles that developers, administrators, andfree-software supporters depend on to know what is going on in theLinux world. Pleasesubscribe today to help us keep doing that, and sowe don’t have to get good at marketing.

TheTor project gained an important piece of official recognitionthis week when two key Internet oversight bodies gave their stamp ofapproval to Tor's .onion top-level domain (TLD). While .onion has been inuse on the Tor network for several years, it was always as a "pseudo-domain" in the past. Its official recognition should make widerinteroperability possible (as well as shield the domain from beingclaimed by a domain registrar).

To recap, Tor first introduced .onion in a 2004whitepaper that described how hidden services on the Tor network couldbe accessed. A application designed for Internet usage (such as a webbrowser) needs the hostnames of servers to be looked up through aDNS-like mechanism that returns an IP address. The .onion TLD servesthe corresponding purpose for a server running on the Tor network rather thanon the Internet, but .onion hostnames are substantially different.

The server has afoo.onion hostname, where "foo" is thehash of the server's public encryption key. When the browser sends anHTTPS request to foo.onion, rather than performing a DNS lookup, the Tor proxy looks up the hash in Tor'sdistributed hash table and, assuming the server is online, gets the addressof a Tor "rendezvous" node in return. Tor then contacts therendezvous node and establishes the connection. The end result isfunctionally the same as the DNS case—the client gets a workingconnection to the server—but the .onion protocol makes theconnection happen without either endpointlearning about the other'slocation.

Informalities

The .onion mechanism works reliably enough that recent years haveseen several high-profile service providers add Tor hidden-serviceentry points. Facebook famously crunched through a massive set ofhash calculations before it stumbled onto its easily remembered Toraddress,facebookcorewwwi.onion [Torlink].Search engine DuckDuckGo, news outlet The Intercept, and several otherwell-known web sites have followed suit (albeit without Facebook'seasy-to-memorize hash).

Nevertheless, as long as .onion remained an unofficial TLD, nothingwould formally prevent a new registrar from applying to the InternetCorporation for Assigned Names and Numbers (ICANN) to register andmanage a .onion TLD on the public Internet. ICANN opened the doors toapplications for new TLDs in 2012, and has receivedseveralthousand.

There have been other well-known pseudo-domains in yearspast—readers with long memories may recall .uucp or.bitnet—but those pseudo-domains were never formally specified.ICANN's new policy for accepting open submissions for new TLDs meansthat such informal conventions are a risky proposition. For example,RFC 6762 lists severalTLDs "recommended" for private usage on internal networks, including .home, .lan,.corp, and .internal. Of those, .lan and .internal still seem to beunclaimed, but the ICANN site lists six registrar applications tomanage .corp and eleven for the .home domain.

Consequently, Tor's Jacob Appelbaum (along with Facebook engineerAlec Muffett) submitted an Internet Draftproposalto the IETF to have .onion officially recognized as a "special-usedomain name." The proposal specifies the expected behavior forapplication software and domain-name resolvers, and it forbids DNSregistrars and DNS servers from interfering with Tor's usage of.onion. Specifically, it requires registrars to refuse anyregistrations for .onion domain names and it requires DNS servers torespond to all lookup requests for .onion domains with the"non-existent domain" response code,NXDOMAIN. Applicationsoftware and caching DNS resolvers need to either resolve .oniondomains through Tor or generate the appropriate error indicating thatthe domain cannot be resolved.

On September 9, the IETF approved Appelbaum and Muffett's proposalas a Draft RFC, and ICANN's Internet Assigned Numbers Authority (IANA)added .onion to the official list ofspecial-usedomain names. That list, unlike RFC 6762, is a formal one; apartfrom the reverse lookups for the reserved IP-address blocks, only afew domains are included (such as .test, .localhost, .local, .invalid, andseveral variations of "example").

What's next

The most immediate effect of the approval will likely be thatgeneral-purpose software can implement support for .onion, since thereis now no concern that the TLD could be "overloaded" in the future bybeing adopted in a non-Tor setting. Appelbaum, of course, has lobbiedthe free-software community in recent years to start building insupport for Tor as a generic network-transport layer. Heproposed the idea at GUADEC 2012, andraised it again at DebConf 2015. Implementing system-wide Tor supportwould not be trivial, but it is perhaps now a more reasonable request.

In the longer term, though, the official recognition of .onion mayhave other ripple effects. Facebook's Tor team posted anannouncementabout the change, and noted that it raises the possibility of gettingSSL certificates for .onion domains:

The CAB Forum ballot linked to by the announcement proposed a setof validation rules for issuing certificates for .onion domains andfor certificate authorities (CAs) to sign those certificates. Itmakes straightforward arguments—namely, that users benefit ifsite owners can publicly prove their ownership of a .onion address.Apart from Facebook, after all, most .onion URLs are quite difficultto remember.

That said, the forum ballot passed with six "yes" votes from CAs,two "no" votes, and 13 abstentions, plus "yes" votes from threebrowser vendors. That result might not be interpreted asa strong mandate among CAs. In addition, the CAB Forum is not agoverning body, so its approval does not necessarily dictate that anyparticular CA will issue .onion certificates in the future.

Nevertheless, approval for the .onion TLD is undoubtedly a positivesign for Tor and for hidden services in particular. The project canpoint to it as acceptance that the technology has grown in popularityamong Internet users and is a far cry from the "dark web" so oftenalluded to in the general press. Just as importantly, developers cancount on .onion as a stable service-naming scheme, which may lead tointeresting new developments down the line.