Re: [DNSOP] Root reasons (aka "why") - HTTP vs SRV vs ANAME vs CNAME

Tony Finch <dot@dotat.at> Thu, 08 November 2018 18:27 UTC

Return-Path: <dot@dotat.at>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B49F2128BCC for <dnsop@ietfa.amsl.com>; Thu, 8 Nov 2018 10:27:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LSoKRcf4XOVg for <dnsop@ietfa.amsl.com>; Thu, 8 Nov 2018 10:27:05 -0800 (PST)
Received: from ppsw-31.csi.cam.ac.uk (ppsw-31.csi.cam.ac.uk [131.111.8.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 02FA012426A for <dnsop@ietf.org>; Thu, 8 Nov 2018 10:27:05 -0800 (PST)
X-Cam-AntiVirus: no malware found
X-Cam-ScannerInfo: http://help.uis.cam.ac.uk/email-scanner-virus
Received: from grey.csi.cam.ac.uk ([131.111.57.57]:47602) by ppsw-31.csi.cam.ac.uk (ppsw.cam.ac.uk [131.111.8.137]:25) with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) id 1gKp1C-000uDj-Lg (Exim 4.91) (return-path <dot@dotat.at>); Thu, 08 Nov 2018 18:27:02 +0000
Date: Thu, 8 Nov 2018 18:27:02 +0000
From: Tony Finch <dot@dotat.at>
To: Ray Bellis <ray@bellis.me.uk>
cc: dnsop@ietf.org
In-Reply-To: <a4087032-acb2-0f2e-f84b-31d2885d8390@bellis.me.uk>
Message-ID: <alpine.DEB.2.20.1811081801580.3596@grey.csi.cam.ac.uk>
References: <CAH1iCirLfSEUcTf=p5bHuFJSFie_BoPh4X=89w2mpxgNpR9HkA@mail.gmail.com> <2BDA0411-202D-4199-A43B-3FDC50DC47F5@isoc.org> <CAH1iCirdkU-jYLRGeOm3DcdsReShyOez3oU5hw5sJYEtQyyqGw@mail.gmail.com> <D378E8F5-A667-4649-90ED-7C3612F0A013@isoc.org> <a4087032-acb2-0f2e-f84b-31d2885d8390@bellis.me.uk>
User-Agent: Alpine 2.20 (DEB 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/9VN-77a1lJiFOhjj2zYpj9qU0LM>
Subject: Re: [DNSOP] Root reasons (aka "why") - HTTP vs SRV vs ANAME vs CNAME
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Nov 2018 18:27:08 -0000

Ray Bellis <ray@bellis.me.uk> wrote:
> On 08/11/2018 11:47, Dan York wrote:
>
> > For that reason, wouldn't all the resolvers (or at least an extremely high
> > %) need to be upgraded to support the new record?
>
> They don't _have_ to be, but performance is improved when they are (since only
> an upgraded resolver will include the A and AAAA answers in the additional
> section).
>
> The critical path is the browsers, since none of this works unless they
> start looking up the HTTP record.
>
> As a transition mechanism, site operators would still need to publish their
> existing A and AAAA records by whatever means they currently do (even if
> that's e.g. a CNAME flattening on the authority server).

The transition mechanism is really important if zone publishers are going
to use HTTP records. It needs to be automated and invisible to the web
site admin. If you require people to provide both a target hostname and
the corresponding addresses, you are making it too hard. You aren't
removing the friction caused by the restrictions on CNAMEs.

At the moment the options for setting up 3rd party hosting are:

  * Just use address records. Lots of places prefer this because it
    always works, at the cost of less flexible static server setup.

  * Use a CNAME for www and address records for the bare domain. Maybe the
    address records refer to a server that is more limited in some way
    than the CNAME target (no geoIP, just a redirector, ...)

HTTP RRs risk adding a third option, where the web provider has to have
documentation asking whether the DNS provider supports HTTP RRs and if so
the site admin needs both these addresses and this hostname. And the
addresses can't refer to a redirector, so this thord option opens a new
trap for the unwary.

What I would like is to eliminate the wrong choices on the DNS provider
side of things, so that the web site admin can provide a target hostname
which will work on any name, just like they can with address records.

Tony.
-- 
f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
Fitzroy, Sole: Cyclonic 5 to 7, becoming southerly or southwesterly 7 to
severe gale 9. Very rough or high. Rain or showers. Good, occasionally poor.