Re: [DNSOP] Root reasons (aka "why") - HTTP vs SRV vs ANAME vs CNAME

Brian Dickson <> Fri, 09 November 2018 05:55 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 75B581292AD for <>; Thu, 8 Nov 2018 21:55:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id nGA6WKcJMvSf for <>; Thu, 8 Nov 2018 21:55:21 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4864:20::e33]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E52B71276D0 for <>; Thu, 8 Nov 2018 21:55:20 -0800 (PST)
Received: by with SMTP id y27so413512vsi.1 for <>; Thu, 08 Nov 2018 21:55:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=50yvsbs5TIsdi3aaHub0saTxoH+LdYXyLCiEWmIz7+U=; b=G8srQrGY0ubYgxGuq8TOtcPsJItwpnsn8srL3MIa9dTEqQ+/DOmu1541vxQ68wdtmm YmQqkDjy/b9mskJjOrVZwxAH11Sn5YsQUfClO8a9/Oc/V+cLt7ORbHoi8lDEqgJZRiFi 56l4TVOVEG9U8OWPeHe6xGaJthQJC0yz0LgTzvwfIKIyyxe1RJ4UCVIN5bOWwMXHZ+cW ypAoYLSlMwaY9KeYOIWEfBLkvogGHAFBWSx0MbZc8NoZZY96bYlgLGZsFUBFTPi7Kfdc ONtqvhBKsis0tSonK9tFkEpAU6cV+ND+Utv8VhzjicYDbibjtpyF/F4SkGytdf6u6WxG NDmw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=50yvsbs5TIsdi3aaHub0saTxoH+LdYXyLCiEWmIz7+U=; b=JnTkUj2kupxWO6A/PIsgkob/i4u1GD7SfJx0gvX+WOwYk9FeaNWLqvE770CJ5EmMuJ txLVYt6+zEyo3ZgJhrHbWDOtSnQMfnXqz3C9NuE84bvlPbv9mJbtdEE7n096dINZ+Pi9 5S5AnZZH/n/JuOFkjy6/gDsEApnGgq/DaLRbdOSqONLnUiI81OlUxlJvYmz4ab56JmU5 XtSXNlrVfuF7aLlQSUryhZBFMKwICn3yx8l+CaE8L6i1hAKs//VPucJYDKwe0oCPVV17 YS/wzjKfiV2jDv2HHfUyKHy3WFV0Y69asz4bHOWylqkaTf1N4yw33d2/7HVcGo5xRfRx pjsQ==
X-Gm-Message-State: AGRZ1gK1t/DuSVsmaCW3S4EUDvNqsXs/fvmSTZdVjh+/V7tbqdsWmrvu jjJQDfZVuHJEbyx1mD/gQz1P+/vo8A9LDWZXzcC8veGx
X-Google-Smtp-Source: AJdET5fWPrC34hcYnuwKzoNdvCDk+VYCxcYxZ8yduAJTVWKmktOANltCBLNO9UtYu0h6ATA8W8WjrM2d2LqRrim4kgc=
X-Received: by 2002:a67:7b0a:: with SMTP id w10mr3242680vsc.5.1541742919886; Thu, 08 Nov 2018 21:55:19 -0800 (PST)
MIME-Version: 1.0
References: <> <>
In-Reply-To: <>
From: Brian Dickson <>
Date: Fri, 09 Nov 2018 12:55:07 +0700
Message-ID: <>
To: Paul Vixie <>
Cc: " WG" <>
Content-Type: multipart/alternative; boundary="000000000000132f15057a34ff09"
Archived-At: <>
Subject: Re: [DNSOP] Root reasons (aka "why") - HTTP vs SRV vs ANAME vs CNAME
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 09 Nov 2018 05:55:23 -0000

On Fri, Nov 9, 2018 at 12:09 PM Paul Vixie <> wrote:

> Brian Dickson wrote:
> > Paul Vixie wrote:
i don't love the dnssec implications of this, including proof of
> nonwildcard.

I'm not 100% sure, but I think the generic DNSSEC response handling already
covers this.
If the response does not include the QTYPE, the NSEC/NSEC3 record proving
non-existent is required (already).
That the types are "type-specific thing" vs "wildcard-type thing", doesn't
even require special handling.

> it's pretty not-practical at this point to add a feature whose first
> real utility will come after the last resolver understands and
> implements it.

I think that overstates the deployment issue; in 1990, there weren't any
public resolvers that could be used (at least not that I'm aware of, or
maybe they were but got closed down later.)

Currently, the feature becomes usable when some fraction of the
{standard,open} resolvers have deployed support, and/or enough of the
clients (browsers) provide support, or both, plus some significant
support/deployment in authorities.

The efficiencies/optimizations on queries are something that might be
signaled via EDNS (either an OPT or a flag), regarding support for the new
slew of types.

Clients could have multiple resolvers configured, and prefer ones that
support the new types (as signaled by EDNS).

Those resolvers that provide support, and resolve the RDATA names to A/AAAA
and return those (from cache or proactively), minimize the need for
parallel queries and the corresponding query load.
Clients can learn (or be configured, or whatever) about resolver support
and tune their query logic based on that support.

That would put some degree of competitive pressure on resolver operators,
as well as providing a signal on client-side support. Client queries with
EDNS signal, to resolvers that do not support, still provide meaningful
uptake signal level to resolver operators.

The remaining two elements are authority server (software/operator)
support, and end-user (registrant) use. Competitive pressure in the market
place is beneficial once the first entrant deploys. EDNS signaling can help
there too, even when no response would have been provided (due to lack of
actual RRtype(s) at owner name).

I'm optimistic that there's a clean, scalable, flag-day-less, incremental
way forward.