Re: [DNSOP] Root reasons (aka "why") - HTTP vs SRV vs ANAME vs CNAME

Paul Vixie <paul@redbarn.org> Fri, 09 November 2018 02:30 UTC

Return-Path: <paul@redbarn.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AFDA61288BD for <dnsop@ietfa.amsl.com>; Thu, 8 Nov 2018 18:30:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZriAbFzWXNUv for <dnsop@ietfa.amsl.com>; Thu, 8 Nov 2018 18:30:48 -0800 (PST)
Received: from family.redbarn.org (family.redbarn.org [24.104.150.213]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0063D124D68 for <dnsop@ietf.org>; Thu, 8 Nov 2018 18:30:47 -0800 (PST)
Received: from [IPv6:2001:559:8000:c9:ec89:6a65:e867:265a] (unknown [IPv6:2001:559:8000:c9:ec89:6a65:e867:265a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id 347F2892C6; Fri, 9 Nov 2018 02:30:46 +0000 (UTC)
Message-ID: <5BE4F151.8000802@redbarn.org>
Date: Thu, 08 Nov 2018 18:30:41 -0800
From: Paul Vixie <paul@redbarn.org>
User-Agent: Postbox 5.0.25 (Windows/20180328)
MIME-Version: 1.0
To: Ray Bellis <ray@bellis.me.uk>
CC: dnsop@ietf.org
References: <CAH1iCirLfSEUcTf=p5bHuFJSFie_BoPh4X=89w2mpxgNpR9HkA@mail.gmail.com> <2BDA0411-202D-4199-A43B-3FDC50DC47F5@isoc.org> <CAH1iCirdkU-jYLRGeOm3DcdsReShyOez3oU5hw5sJYEtQyyqGw@mail.gmail.com> <D378E8F5-A667-4649-90ED-7C3612F0A013@isoc.org> <a4087032-acb2-0f2e-f84b-31d2885d8390@bellis.me.uk> <alpine.DEB.2.20.1811081801580.3596@grey.csi.cam.ac.uk> <7702EE25-1B10-4880-804C-C7CF5FE609C8@isc.org> <A7834682-C078-4E7F-985E-8FBBF387AC66@dotat.at> <57fff590-9e0f-0510-9c8a-bc0abab471b6@bellis.me.uk>
In-Reply-To: <57fff590-9e0f-0510-9c8a-bc0abab471b6@bellis.me.uk>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/5_h6uolBN3hBLdDl5qNE7nrP2iM>
Subject: Re: [DNSOP] Root reasons (aka "why") - HTTP vs SRV vs ANAME vs CNAME
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Nov 2018 02:30:50 -0000


Ray Bellis wrote:
>
>
> On 09/11/2018 07:14, Tony Finch wrote:
>> But remember: the goal is to make the DNS easier to use for people
>> who don’t know about the restrictions on CNAMEs.
>
> I'd say the goal is to make the DNS *possible* to use for people who
> don't know about the restrictions on CNAMEs.

i regret not adding ANY as an RR type (not just a Q type) back when the 
DNS was small and i supported 90% of it. what we actually needed is a 
wildcard on types so that if there's no more-specific type you get that 
one, which would have an rdata of the target name, but act like PTR 
(which the DNS requester has to follow) rather than like CNAME (which 
the recursive has to follow.)

> I concede that ANAME perhaps makes that easier than HTTP does, but it
> does so at the expense of significant complexity in authority servers by
> still requiring A and AAAA lookups to be somehow "magic", and doesn't
> fix the architectural problem of lack of a service identifier.

i am loath to create per-service record types. that's why SRV. if you 
really want every client of a service to query for something other than 
AAAA/A, can you try to fix what's wrong with SRV regarding wildcards, 
but avoid a new type code for every new thing like MX and HTTP as they 
come along in the decades to follow? also, does SSH count as a service? 
what about FTP? Gopher? RSync? NNTP? IMAP(S)? it may not be too late to 
think architectural thoughts like "what will the internet engineering 
community think, 50 years from now, that we should have done for them?"

> My long-term goal would be to never have an A or AAAA record appear in
> the DNS other than at the owner name of an actual hostname.

i don't think you mean "actual". anycasted addresses act like host 
addresses in all ways (answering UDP, answering TCP SYN, answering ICMP) 
but are not "actual" hosts. i think i know what you _mean_ here and if 
so i agree with that. but 1.1.1.1 answers both HTTPS and DNS, and would 
surely get an AAAA and A in your model, but is not a "host", and its DNS 
owner would not be a "hostname". perhaps you mean "effective host" which 
could be real or virtual?

-- 
P Vixie