It's official: Tor's .onion domains must be kept off the public internet
IETF publishes RFC 7686 and makes edible bulb a reserved name
Software is forbidden from using Tor URLs ending in .onion on the public internet following the publication of RFC 7686, which makes the top-level domain a "special use" case.
The cyber-veg also joins a very short list of names including .example, .invalid, .local, and .test that will not be added to the internet's root zone file in order to prevent security and stability problems.
The reason .onion makes it to the list is thanks to its use by the anonymizing Tor network, which identifies hidden services using the .onion top-level domain.
For example, Facebook's hidden service is facebookcorewwwi.onion. Looking up that address on the public internet using non-Tor-aware software won't work – but it will leak to DNS servers that you're looking for a particular site, thus ruining your privacy. However, Tor clients, such as the Tor Browser, can use it to find the website hidden within the Tor network.
The new RFC instructs software to never fling requests for .onion onto the public internet, and instead try to route them through the Tor network.
Tor is a network of a few thousand nodes that work together to make surveillance of its users difficult; it routes connections through multiple machines to cover people's tracks. The service is used by journalists, activists, and criminals, as a way to avoid identification.
If the top-level domain .onion was ever added to the public internet, it would immediately clash with the growing network of Tor addresses in much the same way that adding .local and .localhost to the global DNS would cause endless chaos.
The designation of .onion as a special-use domain was approved in draft form earlier this month and was added to the official list run by IANA. However, with the publication of RFC 7686, it has become official. The IANA list has already been updated.
One of the two authors of the RFC, Jacob Appelbaum, posted a blog post on the news, briefly covering the "long journey" to approval. In it, he also noted that it will soon be possible to get encryption certificates for .onion domains, making it even harder for users of the Tor network to be tracked.
Meanwhile, there is another draft in the IETF that would expand the special-use protection to a number of other domains that are used in peer-to-peer software, including .gnu, .zkey, .exit, .i2p, and .bit. ®