Re: [dnsext] Some thoughts on the updated aliasing draft

Florian Weimer <> Tue, 29 March 2011 09:53 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1CD773A6906 for <>; Tue, 29 Mar 2011 02:53:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.088
X-Spam-Status: No, score=-2.088 tagged_above=-999 required=5 tests=[AWL=0.161, BAYES_00=-2.599, HELO_EQ_DE=0.35]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id H5CBdKhkdoaT for <>; Tue, 29 Mar 2011 02:53:39 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 1020E3A6836 for <>; Tue, 29 Mar 2011 02:53:37 -0700 (PDT)
Received: from ([]) by with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) id 1Q4Vdq-0003eK-G8; Tue, 29 Mar 2011 09:55:14 +0000
Received: by with local id 1Q4Vdq-0005A9-BW; Tue, 29 Mar 2011 09:55:14 +0000
To: Ted Hardie <>
References: <>
From: Florian Weimer <>
Date: Tue, 29 Mar 2011 09:55:14 +0000
In-Reply-To: <> (Ted Hardie's message of "Sat\, 26 Mar 2011 10\:51\:51 -0700")
Message-ID: <>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Subject: Re: [dnsext] Some thoughts on the updated aliasing draft
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 29 Mar 2011 09:53:40 -0000

* Ted Hardie:

> But the problem remains daunting.  Even if DNSEXT creates the perfect record
> for sameness, we still have to get apps to check it--and that suggests to me
> designing the system for that goal should be a primary consideration in the
> design space.

The problem is worse: applications routinely do not have access to the
public DNS when the proposed sameness or normalization step would have
to be performed.  For example, I'm writing this message on an
IDNA-capable mail client (it will use Punycode for the domain part
during submission if necessary), but the system it runs on lacks
access to the public DNS.  While our network is probably not
representative at all, I'm sure that the phenomenon (lack of DNS
access) is common on corporate networks.

There is something that borders on willful ignorance of this fact.
But it is pretty clear to me that you cannot use DNS for protocol
version signalling (this is what the IDNA folks really need, it just
got perverted to aliasing because an IDNA-specific kludge was not
received favorably) when you haven't got access to the DNS at the
point where you need the information.

Florian Weimer                <>
BFK edv-consulting GmbH
Kriegsstraße 100              tel: +49-721-96201-1
D-76133 Karlsruhe             fax: +49-721-96201-99