Re: [DNSOP] I-D Action: draft-ietf-dnsop-aname-01.txt

Evan Hunt <> Thu, 25 January 2018 23:27 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 0938712EAF3 for <>; Thu, 25 Jan 2018 15:27:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.91
X-Spam-Status: No, score=-6.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id YEsM1c5vaOJ1 for <>; Thu, 25 Jan 2018 15:27:04 -0800 (PST)
Received: from ( [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 566E212EB00 for <>; Thu, 25 Jan 2018 15:27:04 -0800 (PST)
Received: from ( []) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 27E413AB06B; Thu, 25 Jan 2018 23:27:02 +0000 (UTC)
Received: by (Postfix, from userid 10292) id F3264216C1C; Thu, 25 Jan 2018 23:27:01 +0000 (UTC)
Date: Thu, 25 Jan 2018 23:27:01 +0000
From: Evan Hunt <>
To: "Wessels, Duane" <>
Cc: dnsop <>, Peter van Dijk <>, "" <>
Message-ID: <>
References: <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-aname-01.txt
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 25 Jan 2018 23:27:06 -0000

On Thu, Jan 25, 2018 at 10:05:24PM +0000, Wessels, Duane wrote:
> Why does the draft mandate initial TTL behavior?  The important aspect
> would seem to be how long the data can be kept in cache, not what the
> (initial) TTL value is.  As I noted in the previous message, Unbound's
> cache-max-ttl works that way and I think it has some nice properties.

I'm not sure I understand the distinction you're making. When you first
cache something, its TTL represents the length of time that data can be
kept in the cache, and it counts down from there to zero. That's what
I meant by the initial TTL.

> Also in this new text I'm not sure what to make of "intermediate and address
> records." If "and" is truly intentional in this phrase then I think
> intermediate should be better defined, or examples given.

Suppose ANAME (TTL 3600) points to a CNAME (TTL 30) which points to a CNAME
(TTL 5) which points to an A (TTL 86400).  The response would contain ANAME
with TTL 3600 and, because of the intermediate CNAME, A with TTL 5.

Suggestions welcome for a clearer way to phrase this.

> >    Address records with expired TTLs MUST NOT be used to answer
> >    address queries until refreshed by sending a new query to the ANAME
> >    <target>.
> > 
> >  [...]
> > 
> >    If resolution of the ANAME <target> yields no address records due to
> >    some other failure, and the query was for a specific address type,
> >    the response MUST include the ANAME record and set the RCODE to
> >    SERVFAIL.
> If the authoritative server has address records, which then expire, and
> cannot be refreshed, I read this as saying the later response must be

For A or AAAA queries, that is the intent. An explicit query for type ANAME
would still be answered.

> That seems in contradiction with the ideas of draft-serve-stale which says
> "stale bread is better than no bread" and "Several major recursive resolver
> operations currently use stale data for answers in some way ...  Their
> collective operational experience is that it provides significant benefit
> with minimal downside."

This seems like a job for the resolver, not the auth server.  In the long
term my hope is that resolvers will implement ANAME, chase the answers
themselves, and then decide whether to serve stale records or not.
However, I guess we can relax this requirement if the auth server is
configured for serve-stale.

Evan Hunt --
Internet Systems Consortium, Inc.