Re: [DNSOP] I-D Action: draft-ietf-dnsop-aname-01.txt

Stefan Bühler <> Fri, 26 January 2018 11:55 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A82EC12DA05 for <>; Fri, 26 Jan 2018 03:55:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.011
X-Spam-Status: No, score=-2.011 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 9a7OJk-sEl7F for <>; Fri, 26 Jan 2018 03:55:02 -0800 (PST)
Received: from ( [IPv6:2a01:4f8:a0:2276::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 6C02B12D960 for <>; Fri, 26 Jan 2018 03:55:02 -0800 (PST)
Received: from [IPv6:2a02:8070:a29c:5000:4d45:5ee8:71bb:2e67] (unknown [IPv6:2a02:8070:a29c:5000:4d45:5ee8:71bb:2e67]) by (Postfix) with ESMTPSA id A0FEAB80102 for <>; Fri, 26 Jan 2018 11:54:59 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;; s=stbuehler1; t=1516967699; bh=+cqfGZqxCLDJpuSHnGbreG2QBHYKpJx60wNYcylCkcc=; h=From:Subject:References:To:Date:In-Reply-To:From; b=zBAFI3E5NVpXdvDkYuecD5Caa4WlfK11GajoQHHL51sM/qk8BzrQeOqBJJK/mT60X EXTOKbKP7uk/6J4+7jHGsCLq6at0FmKtefXrkX9mbn0IPTFiALnvpIkovm9lbEPCdY ywuesSQL7hlB2cTMHddTRslOzXl2TsWIu212y0xo=
From: Stefan Bühler <>
References: <>
Message-ID: <>
Date: Fri, 26 Jan 2018 12:54:59 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.5.2
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-aname-01.txt
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 26 Jan 2018 12:08:03 -0000


I have concerns about the resolver replacing A/AAAA records in signed
zones as it breaks validation.

If a resolver understanding ANAME is queried using the DO=1 flag it
shouldn't touch the A/AAAA records, because it already knows the
requestor would through them away.

This also means a caching resolver should store the original A/AAAA
records (and not the ones resolved through ANAME) in the cache.

With this change I don't think it makes sense to say "a resolver MUST
re-query", I'd use "a resolver SHOULD re-query if it didn't use ECS and
the query didn't use DO=1".  But I'd add "a resolver MUST include ANAME
RRset in respones to queries for A/AAAA".