Re: [DNSOP] fyi [Pdns-users] Please test: ALIAS/ANAME apex record in PowerDNS
Andrew Sullivan <ajs@anvilwalrusden.com> Mon, 22 September 2014 13:21 UTC
Return-Path: <ajs@anvilwalrusden.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B5CD51A1AC0 for <dnsop@ietfa.amsl.com>; Mon, 22 Sep 2014 06:21:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.559
X-Spam-Level: **
X-Spam-Status: No, score=2.559 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HELO_MISMATCH_INFO=1.448, HOST_MISMATCH_NET=0.311] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PuUv80jSykVH for <dnsop@ietfa.amsl.com>; Mon, 22 Sep 2014 06:21:39 -0700 (PDT)
Received: from mx1.yitter.info (ow5p.x.rootbsd.net [208.79.81.114]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D7B2E1A1AC2 for <dnsop@ietf.org>; Mon, 22 Sep 2014 06:21:39 -0700 (PDT)
Received: from mx1.yitter.info (nat-08-mht.dyndns.com [216.146.45.247]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.yitter.info (Postfix) with ESMTPSA id 4AA1B8A031 for <dnsop@ietf.org>; Mon, 22 Sep 2014 13:21:38 +0000 (UTC)
Date: Mon, 22 Sep 2014 09:21:31 -0400
From: Andrew Sullivan <ajs@anvilwalrusden.com>
To: dnsop@ietf.org
Message-ID: <20140922132131.GA98041@mx1.yitter.info>
References: <20140921115222.GB16178@xs.powerdns.com> <541F1AE8.6010709@redbarn.org> <CAAF6GDdttYNDBDSROiHSGkkvRZ5Pxfm0W_d68x=POXgU_SsYOg@mail.gmail.com> <541F569D.9040508@redbarn.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <541F569D.9040508@redbarn.org>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/dnsop/CZ9olh9y50nCQcVABFEmtbXpPBM
Subject: Re: [DNSOP] fyi [Pdns-users] Please test: ALIAS/ANAME apex record in PowerDNS
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Sep 2014 13:21:41 -0000
On Sun, Sep 21, 2014 at 03:52:13PM -0700, Paul Vixie wrote: > does the ANAME(/ALIAS) server proxy every request, so, no caching? Some people have tried to implement it that way. This is an excellent way to DoS your server, it turns out (rumour has it that someone learned that in production; but if you make a fairly simple performance model you can derive this result on paper). > if it caches, does it implement "client subnet"? It sort of has to, not that it will necessarily be useful. An important use case is CDNs, and since you probably want to do stupid DNS tricks based on the source of the query, you better do client subnet with it. (Of course, statistically speaking right now that means, "Works for Google and OpenDNS and not really anyone else.") > proxied request times out (or servfails), does the original authority > request also time out (or servfail?) and i wonder-- if the proxy request > returns NXDOMAIN, what does the authority answer with? There are use cases where the "right" answer is to extend the cache value you had, even though the TTL has expired. In other cases, you should just pass on whatever you got, so you're working like a cache. > what the implementers of this nonstandard feature seem to want is > cname-and-other-data, by which i mean, a requester-visible alias that > can live at the apex, and then have its target resolved in the > requester's context. i'm not sure how best to do it, but i'm not liking > the implications of always-proxy nor proxy-with-cache. Yes. For what it's worth, at Dyn we've come up with four different designs for this functionality, every one of which has some compromise that has caused my product people to say, "No, not like that." I am increasingly convinced that this feature is one of those well-known ponies. A -- Andrew Sullivan ajs@anvilwalrusden.com
- Re: [DNSOP] fyi [Pdns-users] Please test: ALIAS/A… Paul Vixie
- [DNSOP] fyi [Pdns-users] Please test: ALIAS/ANAME… bert hubert
- Re: [DNSOP] fyi [Pdns-users] Please test: ALIAS/A… Paul Hoffman
- Re: [DNSOP] fyi [Pdns-users] Please test: ALIAS/A… bert hubert
- Re: [DNSOP] fyi [Pdns-users] Please test: ALIAS/A… Dick Franks
- Re: [DNSOP] fyi [Pdns-users] Please test: ALIAS/A… Suzanne Woolf
- Re: [DNSOP] fyi [Pdns-users] Please test: ALIAS/A… Doug Barton
- Re: [DNSOP] fyi [Pdns-users] Please test: ALIAS/A… Doug Barton
- Re: [DNSOP] fyi [Pdns-users] Please test: ALIAS/A… David Conrad
- Re: [DNSOP] fyi [Pdns-users] Please test: ALIAS/A… Paul Vixie
- Re: [DNSOP] fyi [Pdns-users] Please test: ALIAS/A… David Conrad
- Re: [DNSOP] fyi [Pdns-users] Please test: ALIAS/A… Colm MacCárthaigh
- Re: [DNSOP] fyi [Pdns-users] Please test: ALIAS/A… Paul Vixie
- Re: [DNSOP] fyi [Pdns-users] Please test: ALIAS/A… Suzanne Woolf
- Re: [DNSOP] fyi [Pdns-users] Please test: ALIAS/A… Tony Finch
- Re: [DNSOP] fyi [Pdns-users] Please test: ALIAS/A… Tony Finch
- Re: [DNSOP] fyi [Pdns-users] Please test: ALIAS/A… Tony Finch
- Re: [DNSOP] fyi [Pdns-users] Please test: ALIAS/A… John Levine
- Re: [DNSOP] fyi [Pdns-users] Please test: ALIAS/A… Dick Franks
- Re: [DNSOP] fyi [Pdns-users] Please test: ALIAS/A… Tony Finch
- Re: [DNSOP] fyi [Pdns-users] Please test: ALIAS/A… Andrew Sullivan
- Re: [DNSOP] fyi [Pdns-users] Please test: ALIAS/A… Dick Franks
- Re: [DNSOP] DNSSEC and ALIAS/ANAME apex record in… Paul Hoffman
- Re: [DNSOP] fyi [Pdns-users] Please test: ALIAS/A… Tony Finch
- Re: [DNSOP] fyi [Pdns-users] Please test: ALIAS/A… Colm MacCárthaigh
- Re: [DNSOP] fyi [Pdns-users] Please test: ALIAS/A… Olafur Gudmundsson
- Re: [DNSOP] fyi [Pdns-users] Please test: ALIAS/A… bert hubert
- Re: [DNSOP] fyi [Pdns-users] Please test: ALIAS/A… bert hubert
- Re: [DNSOP] fyi [Pdns-users] Please test: ALIAS/A… Paul Wouters