Safe, Compliant NX Domain Resolution for Intent Navigation
Summary In 2003, SiteFinder's wildcarding in .com/.net caused major disruption — breaking email, tools, and protocols — leading ICANN and IETF to prohibit registry-level wildcarding in gTLDs (see all ICANN, IETF & CA/B provisions that prohibit wildcarding here).
Later, mandatory HTTPS and TLS/SSL made wildcarding impossible: unregistered domains cannot obtain valid certificates from public CAs.
AnyName solves this: DNAME routes NX queries to a registered internal zone via a CDN with its own CA (e.g., Cloudflare).
User sees only the original URL. No redirect. No warning. Full HTTPS. No client changes.
Detailed Description
Here's how it works, step-by-step (using acerlaptops.target as an example):
User types: https://acerlaptops.target
DNS Phase: Resolver queries acerlaptops.target. Target’s authoritative server sees it's unregistered (no A-record) and applies DNAME: rewrites to acerlaptops.nxresolve.example.target
Resolution: nxresolve.example.target — a pre-registered, controlled subdomain — resolves to Cloudflare’s edge IP (Cloudflare returns its own IP address). Still DNS — no HTTP as yet.
HTTPS Handshake: Browser connects to Cloudflare edge IP. SNI = acerlaptops.target Host header = acerlaptops.target Address bar stays: https://acerlaptops.target — never changes
TLS Certificate: The community must decide between two variants:
Variant 1 – Pre-Issued Wildcard (Preferred): Cloudflare attaches pre-issued *.target wildcard cert — valid ≤24 hours, renewed daily via ACME using Cloudflare’s own CA.
Variant 2 – On-the-Fly Minting: Cloudflare’s CA instantly mints an exact-match cert for acerlaptops.target — valid <24 hours, issued in <2 seconds.
Content Delivery: An AI agent on the edge interprets the label (acerlaptops) and decides routing. Two possible methods (brand choice):
Direct Edge Resolution: AI maps intent to target.com/acer-laptops and serves content directly from edge.
Internal Redirect: Edge issues 301/302/307 to my.target/?q=acerlaptops — brand logic runs on my.target.
No redirect visible to user. User sees only acerlaptops.target.
Eligibility Check (True Kill-Switch):
Eligible TLDs apply to enable NX resolution — this becomes part of their registry agreement. ICANN instructs IANA to maintain a public NX-eligible list (simple registry, not root zone). Field: "nxEligible": true
An Eligibility CA (independent, ICANN-designated) queries IANA daily and issues a 24-hour NX-Eligibility Certificate for each eligible TLD.
Target (the registry) provides this certificate to Cloudflare (its CDN/CA partner). Cloudflare verifies the certificate before issuing or renewing any TLS cert for NX labels.
If ICANN revokes eligibility: → Eligibility CA stops issuing → After 24 hours, all TLS certs expire → NX resolution stops automatically — no bypass
Certificate Cache:
Cloudflare caches all issued certificates for 24 hours (or high-traffic ones only — operator choice). No remint needed within validity.
Once adopted by ICANN and IETF, this will be fully compliant with: RFC 6672 (DNAME), RFC 8555 (ACME), ICANN Spec-13.
No redirect. No client change. True kill-switch. No cert for NX domains.
For more information please send an email to alexander.schubert@anyname.technology or call +1(202)888-2029