Re: [DNSOP] fyi [Pdns-users] Please test: ALIAS/ANAME apex record in PowerDNS

[Andrew Sullivan <ajs@anvilwalrusden.com>]

On Sun, Sep 21, 2014 at 03:52:13PM -0700, Paul Vixie wrote:

> does the ANAME(/ALIAS) server proxy every request, so, no caching? 

Some people have tried to implement it that way.  This is an excellent
way to DoS your server, it turns out (rumour has it that someone
learned that in production; but if you make a fairly simple
performance model you can derive this result on paper).

> if it caches, does it implement "client subnet"? 

It sort of has to, not that it will necessarily be useful.  An
important use case is CDNs, and since you probably want to do stupid
DNS tricks based on the source of the query, you better do client
subnet with it.  (Of course, statistically speaking right now that
means, "Works for Google and OpenDNS and not really anyone else.")

> proxied request times out (or servfails), does the original authority
> request also time out (or servfail?) and i wonder-- if the proxy request
> returns NXDOMAIN, what does the authority answer with?

There are use cases where the "right" answer is to extend the cache
value you had, even though the TTL has expired.  In other cases, you
should just pass on whatever you got, so you're working like a cache.

> what the implementers of this nonstandard feature seem to want is
> cname-and-other-data, by which i mean, a requester-visible alias that
> can live at the apex, and then have its target resolved in the
> requester's context. i'm not sure how best to do it, but i'm not liking
> the implications of always-proxy nor proxy-with-cache.

Yes.  For what it's worth, at Dyn we've come up with four different
designs for this functionality, every one of which has some compromise
that has caused my product people to say, "No, not like that."  I am
increasingly convinced that this feature is one of those well-known
ponies.

A

-- 
Andrew Sullivan
ajs@anvilwalrusden.com