Re: [DNSOP] Minimum viable ANAME

Tony Finch <> Wed, 19 September 2018 21:08 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id BE5B8128BAC for <>; Wed, 19 Sep 2018 14:08:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id FrLQC9fvB3Gj for <>; Wed, 19 Sep 2018 14:08:53 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id D8475130ECB for <>; Wed, 19 Sep 2018 14:08:50 -0700 (PDT)
Received: from compute4.internal (compute4.nyi.internal []) by mailout.nyi.internal (Postfix) with ESMTP id CC8BC21448; Wed, 19 Sep 2018 17:08:49 -0400 (EDT)
Received: from mailfrontend1 ([]) by compute4.internal (MEProxy); Wed, 19 Sep 2018 17:08:49 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; bh=2UpiUK NizbsF2peGr+zgPYSU3UdTX28hkqp/VJaxYEU=; b=XoX1JYWVr9tZywGDERzJdl sreB/9kxl8JBzA4gixvvPws4Gjjsb85FsqViEh+lq9uiC6/yxrkv3th9r/6gipxI 36Y1569mTu/R+PutsGwpvZGKHGxeL4fC2FcHQq/ZXWtfQlXbhuk18bDEGjTCF3ue oj9fcVws6t/Zd/DiDB6pU9SdvNNGWlivAN5GhzcaxGDeilm8OkeF9PH/i9e15yyy XvHRMerwCOoySChKpZyNP/JLLWaRihE4R+HSp0MHThWZ96TtMxOt7lBMYGLMFdp7 fu4fFBywp5okJR0zJnt8L45P926ZPULi320WkE0ujGtWqB4dsOyR+m7XEcYD4PMA ==
X-ME-Proxy: <xmx:4bqiWzfLXNvg33g1g0Mw8RhMDnN1DaJPTzYGcRy_owbOXmZ1CES08Q> <xmx:4bqiW2nnSSQugdADFq-wsjbpfSuBcboBZbm_k2lp2ZU72KgdYmW2Ow> <xmx:4bqiW4jSDRFKkXluyNjBFxW9m7NT5CWRrjqazatrDt9Kka9cDVxi1A> <xmx:4bqiW4pWM1VPv-ph_80yA9A4vFwP9Rx6WsV0a0_0NqLzW3wTYaDmlw> <xmx:4bqiW7QgcBb0tFsEqu6Op7R4dLSbGm4VLP7Y7w81HYyumiG8aaEZwA> <xmx:4bqiW4yW_qhTjZN_q4k8HCUpxsjqc07A25nYjZqcLi9yz4wEzZ_xXA>
X-ME-Sender: <xms:4bqiW-_iYzymiR2ZAFpXTdLMc2dfY9_JhVYykk6n0DfF9UryTinIwQ>
Received: from [] (unknown []) by (Postfix) with ESMTPA id 0E028E4118; Wed, 19 Sep 2018 17:08:49 -0400 (EDT)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (1.0)
From: Tony Finch <>
X-Mailer: iPhone Mail (15G77)
In-Reply-To: <20180919201401.8E0C220051382A@ary.qy>
Date: Wed, 19 Sep 2018 22:08:45 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <20180919201401.8E0C220051382A@ary.qy>
To: John Levine <>
Archived-At: <>
Subject: Re: [DNSOP] Minimum viable ANAME
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 19 Sep 2018 21:08:56 -0000

> On 19 Sep 2018, at 21:14, John Levine <> wrote:

> If I look up foo and it has an ANAME to bar, which of these do I get
> back?

foo. A

foo. ANAME bar.
bar. A

The model is that this is a replacement for manually copying address records, with added hints to resolvers that they might want to re-do the copying in order to get geo-optimized answers or other complicated tricks.

> The second is a lot more like what CNAME does, and also avoids having
> to sign on the fly.

With this model, signing only happens where it currently happens. 

> PS: I still think fixing apex CNAME is a better way to go.

There are still DNS servers out there running on 1990s semantics, so I don’t think CNAME can be fixed any time soon - much of my practical annoyance comes from people asking for CNAME and MX and this combination is doom on a stick because it involves crazy MTA DNS message handlers, not just DNS servers. My guess at deployment timelines is:

* minimal ANAME can be deployed unilaterally on the provisioning side 20 years ago and similar features are widely available (you are ahead of me on this one, John!); if resolvers implement it there will be useful amounts of deployed support within a few years

* browser-friendly SRV replacement: two years to standardization; another two years watching caniuse before we can maybe think about not copying A records around; even more years before it becomes as portable on the provisioning side as ANAME is now

* fix CNAME, at least 10 years

f.anthony.n.finch  <>