Report on the Assessment of Security and Stability Implications of the Use of DNAME Resource Records in the Root Zone of the DNS
ICANN commissioned a technical study into the security and stability implications of using the Domain Name System (DNS) DNAME Resource Record [RFC2672] in the root zone of the DNS. Testing was specified to be carried out in a captive lab environment which provided a functional replica of certain components of the public DNS. The results of that testing are presented in this report for the information of the wider DNS technical community.
This report found no failure in resolution nor in the ability to perform DNSSEC validation when DNAME was used in the root zone to provide isomorphism between two top-level domains (TLD), i.e. when one TLD was provisioned as a DNAME, compared to being provisioned as a distinct delegation. A variety of DNS software was tested as part of this study.
The use of DNAME in provisioning isomorphic domains is a candidate mechanism for the deployment of variant TLDs. However, the purpose of this report was not to investigate or make recommendations about whether DNAME provides a useful partial or complete solution to any problem related to variant TLDs, but rather to consider the narrower technical implications of using DNAME in the root zone. The more general requirements for variant TLD provisioning are being studied independently of this work within ICANN.
Since this study was performed using a captive replica of the public DNS, it should not be interpreted as an exhaustive answer to the question of whether DNAME can be usefully deployed in the public root zone. However, the conclusions of this report support future work which might (for example) propose the limited deployment of DNAME in the root zone for the purposes of real-world testing.