IETF Logo Mail Archive

Re: [dnsext] Some thoughts on the updated aliasing draft

Douglas Otis <dotis@mail-abuse.org> Tue, 29 March 2011 01:17 UTC

Return-Path: <dotis@mail-abuse.org>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E9A6528C0F1 for <dnsext@core3.amsl.com>; Mon, 28 Mar 2011 18:17:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.535
X-Spam-Level:
X-Spam-Status: No, score=-106.535 tagged_above=-999 required=5 tests=[AWL=0.064, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lq0JdkY1n0gi for <dnsext@core3.amsl.com>; Mon, 28 Mar 2011 18:17:32 -0700 (PDT)
Received: from harry.mail-abuse.org (harry.mail-abuse.org [168.61.5.27]) by core3.amsl.com (Postfix) with ESMTP id D478C3A6833 for <dnsext@ietf.org>; Mon, 28 Mar 2011 18:17:32 -0700 (PDT)
Received: from us-dougo-mac.us.trendnet.org (gateway1.sjc.mail-abuse.org [168.61.5.81]) by harry.mail-abuse.org (Postfix) with ESMTP id 74002A94442 for <dnsext@ietf.org>; Tue, 29 Mar 2011 01:20:00 +0000 (UTC)
Message-ID: <4D913386.3090002@mail-abuse.org>
Date: Mon, 28 Mar 2011 18:19:02 -0700
From: Douglas Otis <dotis@mail-abuse.org>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.15) Gecko/20110303 Thunderbird/3.1.9
MIME-Version: 1.0
To: dnsext@ietf.org
References: <AANLkTimOKdFt9PyRD_hEdQstyak9Z-eCOAHm3FYooMjL@mail.gmail.com>
In-Reply-To: <AANLkTimOKdFt9PyRD_hEdQstyak9Z-eCOAHm3FYooMjL@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 8bit
Subject: Re: [dnsext] Some thoughts on the updated aliasing draft
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Mar 2011 01:17:34 -0000

On 3/26/11 10:51 AM, Ted Hardie wrote:
> The draft under discussion  was updated just before the meeting, and 
> it has some useful updates.  I think, however, it is anxious to scope 
> the problem in ways that leave out what I believe is a well-recognized 
> aspect of the basic desire of those who brought the work forward.  The 
> draft says:
>
>
>   To some extent, the desired behavior can be described: "identical DNS
>   resolution" means that the process of resolving two domain names will
>   end with the same result, in most cases the same IP address.  In the
>   history of DNS protocol development, there have been two attempts to
>   specify such "identical resolution" behavior:CNAME[RFC1034] which
>   maps or redirects itself, and DNAME[RFC2672] which maps or redirects
>   its descendants.  In the case of bundles or groups of names, however,
>   some operators have asserted they need identical DNS resolution at
>   all levels' domain names, including the domain name itself and its
>   descendants.
>
> But the reality is that the operators actually want the applications 
> to treat two domain names as the same.  That's a lot harder than 
> simply having the same IP returned when looking up an A record at each 
> one.  Especially in the case of secured zones, it involves issuing 
> multiple certificates or certs that cover both, and otherwise ensuring 
> that whatever services are present at that IP can effectively handle 
> either name. It's moderately obvious that this is a tougher job than 
> putting in a CNAME or DNAME.
DNAME does not offer a practical solution when implemented at the roots, 
since it lacks the meta information that would be needed to synchronize 
different zones.  It seems possible to use this scheme to construct the 
resources to convey which domains are replicated, such as as placing 
this under some label, like "xn--lba" or "._®--".

Any alias scheme will cause unwanted delays.  With two different 
encoding for A-labels, 2003 or 2008, dropping A-labels and using 
U-labels  reduces the number of domains to be replicated. See
http://tools.ietf.org/html/rfc6055

While it is clear A-labels are needed by e-mail applications, the 
wording about what is legal is less clear when aliased resources are 
employed.  Are A-labels really needed and would
http://tools.ietf.org/id/draft-vixie-dnsext-dnsshadow-00.txt
provide a means to register domain name-sets?

-Doug

v2.29.0 | Report a Bug | By Email | System Status