Re: [DNSOP] abandoning ANAME and standardizing CNAME at apex

Tony Finch <dot@dotat.at> Mon, 25 June 2018 16:08 UTC

Return-Path: <dot@dotat.at>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F0B94130DCE for <dnsop@ietfa.amsl.com>; Mon, 25 Jun 2018 09:08:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IDI_AfrQ0hOS for <dnsop@ietfa.amsl.com>; Mon, 25 Jun 2018 09:08:54 -0700 (PDT)
Received: from ppsw-30.csi.cam.ac.uk (ppsw-30.csi.cam.ac.uk [131.111.8.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C362C130E06 for <dnsop@ietf.org>; Mon, 25 Jun 2018 09:08:54 -0700 (PDT)
X-Cam-AntiVirus: no malware found
X-Cam-ScannerInfo: http://help.uis.cam.ac.uk/email-scanner-virus
Received: from grey.csi.cam.ac.uk ([131.111.57.57]:41266) by ppsw-30.csi.cam.ac.uk (ppsw.cam.ac.uk [131.111.8.136]:25) with esmtps (TLSv1:ECDHE-RSA-AES256-SHA:256) id 1fXU2u-000Zzh-eB (Exim 4.91) (return-path <dot@dotat.at>); Mon, 25 Jun 2018 17:08:52 +0100
Date: Mon, 25 Jun 2018 17:08:52 +0100
From: Tony Finch <dot@dotat.at>
To: Paul Vixie <paul@redbarn.org>
cc: dnsop@ietf.org, Paul Wouters <paul@nohats.ca>, Ray Bellis <ray@bellis.me.uk>
In-Reply-To: <5B310E8F.6060901@redbarn.org>
Message-ID: <alpine.DEB.2.11.1806251649580.916@grey.csi.cam.ac.uk>
References: <CAJhMdTO2kj+nUqESg3ew=wwZuB9OzkJE6pST=mae7pHiEk4-Qw@mail.gmail.com> <20180619190213.B76962846E19@ary.qy> <20180622182752.GA83312@isc.org> <af9b422a-90a0-b204-70d6-12566d7b65dc@bellis.me.uk> <alpine.DEB.2.11.1806251459510.916@grey.csi.cam.ac.uk> <alpine.LRH.2.21.1806251104490.18905@bofh.nohats.ca> <alpine.DEB.2.11.1806251637060.916@grey.csi.cam.ac.uk> <5B310E8F.6060901@redbarn.org>
User-Agent: Alpine 2.11 (DEB 23 2013-08-11)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/H-7E2ySVcgwAopgoKbObHfRy0C0>
Subject: Re: [DNSOP] abandoning ANAME and standardizing CNAME at apex
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Jun 2018 16:08:57 -0000

Paul Vixie <paul@redbarn.org>; wrote:
>
> what do you expect non-dynamic servers to do in the presence of ANAME? i
> assume you'll recommend that they also host real A and AAAA RRsets at the same
> name-node, which only a dynamic authoritative would ignore?

Yes.

> if so, there's a third work flow available, which is to use RFC 2136 dynamic
> update to periodically update those "last resort" or "static" A and AAAA
> RRsets, for a non-dynamic server.

Yes.

> and if so, why aren't we just specifying that, and avoiding the creation of a
> new kind of authority server ("dynamic")?

A dynamic auth is (from the point of view of the trad DNS model) a kind of
master server: it has the signing keys (which secondaries don't), it
determines the contents of the zone according to its own rules (whereas
secondaries passively receive contents from elsewhere). Services like
Route53 and Dyn are effectively multi-master setups.

Dynamic auth servers exist. I would be pleased if ANAME makes it easier
for zone owners to move between providers with fewer portability problems
due to proprietary DNS extensions. Dunno how plausible that is, but
there's clearly demand, e.g. my favourite example (because they're using
one of my tools): https://www.theguardian.com/info/developer-blog/2016/dec/23/multiple-dns-synchronising-dyn-to-aws-route-53

Tony.
-- 
f.anthony.n.finch  <dot@dotat.at>;  http://dotat.at/
South Utsire: Northwesterly 5 to 7. Moderate, occasionally rough in south.
Fair. Good.