Re: [DNSOP] abandoning ANAME and standardizing CNAME at apex

Shumon Huque <> Sun, 24 June 2018 03:08 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 280B01294D0 for <>; Sat, 23 Jun 2018 20:08:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id IelfHct1yclS for <>; Sat, 23 Jun 2018 20:08:28 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4002:c09::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 774FA129385 for <>; Sat, 23 Jun 2018 20:08:28 -0700 (PDT)
Received: by with SMTP id v17-v6so3946090ybe.7 for <>; Sat, 23 Jun 2018 20:08:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=oqvh0m8rHNHU0dVAialCKtqiQ6smhJ/eQhU4gTOS9/g=; b=ekkqxHmoJ/uRtRRKbhQ3GZ3YCZ0QNMp7hRtVQpy413w99R+bxbqqhhXoy5byL78jwh NpQhJNzwvEEpfxdAwOtwe2sVZlJAm68sQgPRa5/fttyW5lYpJdyRkh210LURP2qAgMCC eUL0A8ShQTmCATNKNpdTV84kjn/9GMJuhi78x5OgiWz32Ek/SdG7U4gqNX6UIp2lA+DJ KymlLUkVLF+c2N2X3XOCJ3AKrfIMFedD/h4pFUWBLprSenubQGhI8bigBhsqjjeOR6jf okdNSZ168VSdwUyqeBoT6g7xjGXkXBjE9RW3YRjLUnnEhPFZGPdd5cjWh/cKbQUSOLA7 pnZg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=oqvh0m8rHNHU0dVAialCKtqiQ6smhJ/eQhU4gTOS9/g=; b=ej+kj7M4omI2bg2R3/FOdLvYT48zD+OcdBZXWs4V/nsWug97cct5H3cot7A3WtR0Vl +4nNTjpCXpEjukc5iONsaOT3WBzpIAR7S/oqcnSjR3igFXPYiE4KmHD2xOLNRTgce+GT kCOxDAfMl1LK8lKu2JV9K6XESfsM6nrHUIssLxTqRYOT0529L2J/++4yI+zOjaaboYas avY0sKZwKXRnmMUG7sdzAk87MBS/qtUkKtXU/PS0crtLfXsirzRJwKQZRWaRRfHiK0AA VzMtBEc0u4/psrw8DZAn690SHru1+eqpnLwxSluTnyp+d9pRCfVFasmwcGmQRSZ9O5W/ V3wA==
X-Gm-Message-State: APt69E3pzHWSJc3xmT3bj4lAzDElxf1lKnZtWuf2Gu1tRVuUUIgeQyHe X0npU7FzRROjwl6QfVR0lgs+W7iFNcwCrgLloTE=
X-Google-Smtp-Source: ADUXVKKbxTT4hoEDb2eMGXhFABiimGx8m8LzhwiGdjSEFk6EFYkwLkxPhgogaIDwIeTlH9S9+emw2s3JDr5+oWh2Qa0=
X-Received: by 2002:a25:f817:: with SMTP id u23-v6mr3550706ybd.62.1529809707637; Sat, 23 Jun 2018 20:08:27 -0700 (PDT)
MIME-Version: 1.0
References: <> <> <> <> <> <>
In-Reply-To: <>
From: Shumon Huque <>
Date: Sat, 23 Jun 2018 23:08:15 -0400
Message-ID: <>
To: Paul Vixie <>
Cc: Joe Abley <>, " WG" <>
Content-Type: multipart/alternative; boundary="00000000000032a2bb056f5a949f"
Archived-At: <>
Subject: Re: [DNSOP] abandoning ANAME and standardizing CNAME at apex
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 24 Jun 2018 03:08:30 -0000

On Sat, Jun 23, 2018 at 10:45 PM Paul Vixie <> wrote:

> Joe Abley wrote:
> > I think a pragmatic solution needs to work in unsigned zones.
> >
> > ...
> can someone ask the IAB to rule on whether any new internet technology
> standard should address unsigned DNS zones, or for that matter, IPv4
> networks?

I have to agree with Joe here.

I have no problem with the IAB/IETF requiring that new DNS enhancements
need to be compatible with and work with DNSSEC - and I support that
requirement. But if they don't also work with unsigned zones, then they
will face a critical deployment obstacle in today's Internet environment,
where DNSSEC is still largely undeployed. So I think for each new
enhancement proposal, we need to evaluate this obstacle, and determine if
it's worth doing the work.

In particular, for the various type specific alias proposals that are the
topic of this thread, the target audience is extensively deployed sites on
the Internet. And if you survey all the sites that use apex CNAME hacks
today, I suspect that you will find a very small minority of them have
deployed DNSSEC. And so, if the proposed solution requires DNSSEC, it is
not really solving the problem in the field. Maybe it will a decade down
the road (if DNSSEC gets wide update by then, which is by no means
certain), but I assume we want to solve the problem on a somewhat smaller
time frame.