Re: [DNSOP] abandoning ANAME and standardizing CNAME at apex

Viktor Dukhovni <> Sun, 24 June 2018 19:42 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 86243130E50 for <>; Sun, 24 Jun 2018 12:42:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.715
X-Spam-Status: No, score=-2.715 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FAKE_REPLY_C=1.486, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id VLTwgLg1ZP66 for <>; Sun, 24 Jun 2018 12:42:37 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 8CC98130E33 for <>; Sun, 24 Jun 2018 12:42:37 -0700 (PDT)
Received: by (Postfix, from userid 1034) id 5CEE87A330A; Sun, 24 Jun 2018 19:42:36 +0000 (UTC)
Date: Sun, 24 Jun 2018 19:42:36 +0000
From: Viktor Dukhovni <>
Message-ID: <>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <> <>
User-Agent: Mutt/1.7.2 (2016-11-26)
Archived-At: <>
Subject: Re: [DNSOP] abandoning ANAME and standardizing CNAME at apex
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 24 Jun 2018 19:42:41 -0000

On Sat, Jun 23, 2018 at 07:43:19PM -0700, Joe Abley wrote:

> > Yes, but if they have the NSEC bitmap, they can follow the XNAME
> > without asking again.
> > [...]
> > That's already handled by NSEC/NSEC3.
> I think a pragmatic solution needs to work in unsigned zones.

For unsigned zones a synthetic NSEC record can (and should) be
returned unsigned, IN "XNAME" IN NSEC \ SOA NS MX "XNAME"

> If an XNAME proposal was to solve real-world problems for these people
> it would need to work with or without DNSSEC.
> [...]
> (And I wasn't entirely serious about calling the wildcard RRTYPE * :-)

Good, but actually, for "XNAME" to solve real-world problems, what's
needed is XNAME == CNAME.  Anything else faces deployment hurdles,
as applications have to be updated to support the new record.
CNAMEs are already understood, so just generalize them to be a
fallback redirect for RRtypes not explicitly configured.

On Sun, Jun 24, 2018 at 04:36:50AM +0000, Evan Hunt wrote:

> > I think a pragmatic solution needs to work in unsigned zones.
> +1, but, an unsigned zone could still return an NSEC-style bitmap.  It
> wouldn't be provably correct, but neither is any other unsigned response.


> You could actually add the bitmap to the XNAME rdata, instead of returning
> an NSEC.

But that requires a new "XNAME" rrtype, whereas what the users want
is a more flexible CNAME that coëxists with other RRtypes.  And
so in the unsigned case, an NSEC RR can ride along to provide the
information that the CNAME is of the new kind that lives alongside
some other records.

> The XNAME could then mean "alias to <name> for any rrtype not in
> <bitmap>".

I think that's the more appropriate definition.  Anything else
would require considerable new machinery.

> In any case, I don't understand how XNAME avoids the "ANAME kludges".
> Legacy resolvers won't know what to do with XNAME, so all the same
> workarounds on the auth side still must be implemented.

By making: XNAME == CNAME.