Re: [DNSOP] new ANAME draft: draft-hunt-dnsop-aname-00.txt

"Peter van Dijk" <> Mon, 10 April 2017 10:04 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C6CCF12946A for <>; Mon, 10 Apr 2017 03:04:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id TkRmDFKPlsqO for <>; Mon, 10 Apr 2017 03:04:54 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 0A72D120724 for <>; Mon, 10 Apr 2017 03:04:54 -0700 (PDT)
Received: from [] (unknown [IPv6:2001:610:666:0:4121:72dd:65d3:c56d]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: peter) by (Postfix) with ESMTPSA id B1943C5C23; Mon, 10 Apr 2017 12:04:52 +0200 (CEST)
From: "Peter van Dijk" <>
Date: Mon, 10 Apr 2017 12:04:52 +0200
Message-ID: <>
In-Reply-To: <>
References: <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
X-Mailer: MailMate (1.9.6r5347)
Archived-At: <>
Subject: Re: [DNSOP] new ANAME draft: draft-hunt-dnsop-aname-00.txt
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 10 Apr 2017 10:04:56 -0000

On 10 Apr 2017, at 11:29, Florian Weimer wrote:

> On 04/07/2017 08:11 PM, Evan Hunt wrote:
>> Title:		Address-specific DNS Name Redirection (ANAME)
> I think the introduction should discuss why it is not possible to push 
> the CNAME to the parent zone, replacing the entire zone with an alias.

Why this is not possible seems obvious to me, but we’ll see what we 
can write.

> Section 3 is currently written in such a way that a recursive DNS 
> lookup must be performed at the authoritative server side.  I don't 
> think it is necessary to require that.  A recursive DNS lookup of the 
> target is just one way to implement this.

What other ways did you have in mind?

> In particular, the suggested recursive DNS lookup needs some form of 
> distributed loop detection.  Otherwise, a malicious customer could 
> publish two zones with ANAME records and achieve significant traffic 
> amplification, potentially taking down the DNS hoster.  A hop count in 
> an EDNS option or an “ANAME lookup in progress” indicator would be 
> one way to implement this.  Another approach would impose restrictions 
> on the owner name of an ANAME record and its target, and restrict 
> where CNAMEs can appear, so that a valid ANAME can never point to 
> another valid ANAME.

I’m not sure it’s feasible to forbid chaining ANAMEs. I do agree 
there is a vector for DoS here. Section 6 currently cowardly says 
“Both authoritative servers and resolvers that implement ANAME should 
carefully check for loops and treat them as an error condition.” but I 
am aware that more words are needed.

Kind regards,
Peter van Dijk