IETF Logo Mail Archive

Re: [DNSOP] fyi [Pdns-users] Please test: ALIAS/ANAME apex record in PowerDNS

bert hubert <bert.hubert@netherlabs.nl> Mon, 22 September 2014 19:15 UTC

Return-Path: <ahu@xs.powerdns.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DBF3D1A1AA3 for <dnsop@ietfa.amsl.com>; Mon, 22 Sep 2014 12:15:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.686
X-Spam-Level:
X-Spam-Status: No, score=-2.686 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.786] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Sa3Gkfx_mDSw for <dnsop@ietfa.amsl.com>; Mon, 22 Sep 2014 12:15:50 -0700 (PDT)
Received: from xs.powerdns.com (xs.powerdns.com [IPv6:2001:888:2000:1d::2]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5B1BC1A1B4B for <dnsop@ietf.org>; Mon, 22 Sep 2014 12:15:50 -0700 (PDT)
Received: from ahu by xs.powerdns.com with local (Exim 4.71) (envelope-from <ahu@xs.powerdns.com>) id 1XW95Q-0004pG-1K for dnsop@ietf.org; Mon, 22 Sep 2014 21:15:48 +0200
Date: Mon, 22 Sep 2014 21:15:48 +0200
From: bert hubert <bert.hubert@netherlabs.nl>
To: dnsop@ietf.org
Message-ID: <20140922191547.GA31907@xs.powerdns.com>
References: <20140921115222.GB16178@xs.powerdns.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20140921115222.GB16178@xs.powerdns.com>
User-Agent: Mutt/1.5.20 (2009-06-14)
Archived-At: http://mailarchive.ietf.org/arch/msg/dnsop/MXJgRLaANibeuFzsWl8IiqKZL30
Subject: Re: [DNSOP] fyi [Pdns-users] Please test: ALIAS/ANAME apex record in PowerDNS
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Sep 2014 19:15:53 -0000

Based on the discussions here (thanks!), I've now written this up as:

https://github.com/PowerDNS/pdns/blob/alias/pdns/docs/alias.md

The ALIAS record
The ALIAS record leads authoritative servers to synthesize A or AAAA records
in case these are not present. The source of the synthesized A or AAAA
record is specified by the target of the ALIAS record.

etc..

Feedback welcome! I note that there has been discussion on EDNS0 probing and
other fancy things, but please note that this feature is needed to solve a
problem we have today. This means it can't involve upgrades to
infrastructure except for that operated by the people with the problem -
authoritative servers.

	Bert

On Sun, Sep 21, 2014 at 01:52:22PM +0200, bert hubert wrote:
> Hi everybody,
> 
> Your input on the initial implementation described below would be most
> appreciated.  I see this as a dns operations issue since it does not
> describe an on-the wire change, except when we do AXFR perhaps.  It is
> mostly a feature.
> 
> However, even features could have interoperability issues, and it would be
> nice if we were aligned.
> 
> The last forwared paragraph below says "Please let us know your thoughts
> based on the semantics outlined above.  Would this work for you?  Do you
> miss anything?  Is there a need for multiple ALIAS statements for load
> balancing?  Are we needlessly incompatible with existing implementations? 
> Is there standardization work we could align against?"
> 
> Thanks!
> 
> 	Bert
> 
> ----- Forwarded message from bert hubert <bert.hubert@netherlabs.nl> -----
> 
> Date: Sun, 21 Sep 2014 12:54:07 +0200
> From: bert hubert <bert.hubert@netherlabs.nl>
> To: pdns-users@mailman.powerdns.com
> Subject: [Pdns-users] Please test: ALIAS/ANAME apex record in PowerDNS
> 
> Hi everybody,
> 
> Based on strong user interest, we are fast-tracking the implementation of
> ALIAS/ANAME records, to solve the 'CNAME at apex' problem. Because of the
> fast-tracking, we need rapid feedback to see if we got it right (see the end
> of the mail for details).
> 
> In short, you can CNAME 'www.yourdomain.com' to a CDN or somewhere else, but
> you can't CNAME 'yourdomain.com', since that breaks DNS. This blogpost by
> CloudFlare expands on the problem:
> https://support.cloudflare.com/hc/en-us/articles/200169056-CNAME-Flattening-RFC-compliant-support-for-CNAME-at-the-root
> 
> Today, we implemented ALIAS support as an experimental PowerDNS feature,
> which allows the following:
> 
> $ORIGIN example.com.
> @       IN      SOA     ns1 ahu 2014091619 7200 3600 1209600 3600
> @       IN      NS      ns1
> @       IN      NS      ns2
> www     IN      CNAME   xs.powerdns.com.
> ns1     IN      A       1.2.3.4
> ns2     IN      A       4.3.2.1
> @       IN      ALIAS   www.powerdns.com.
> @       IN      MX      25 outpost.ds9a.nl.
> elsewhere       IN      CNAME   @
> 
> The branch can be found on https://github.com/PowerDNS/pdns/tree/alias and
> we should have packages soon. 
> 
> The current semantics for the ALIAS pseudo-record are that they only match
> if no real record did.  So in the case above, an MX query for example.com
> would return "25 outpost.ds9a.nl".  But a query for AAAA would return the
> IPv6 address obtained by following the www.powerdns.com CNAME chain to
> xs.powerdns.com. This also works for all other record types, btw.
> 
> Our implementation uses a defined resolver to look up the actually requested
> record, and adds the data found to the packet built so far. This means that
> querying 'elsewhere.example.com' will include a CNAME to example.com, which
> in turn will lead to processing of the ALIAS record.
> 
> Finally, for TTL, we currently use what the resolver gave us. But perhaps we
> could use the TTL of the ALIAS record instead, or as a maximum? Or minimum?
> 
> Please let us know your thoughts based on the semantics outlined above.
> Would this work for you? Do you miss anything? Is there a need for multiple
> ALIAS statements for load balancing? Are we needlessly incompatible with
> existing implementations? Is there standardization work we could align
> against?
> 
> Your input is highly welcome!
> 
> 	Bert
> 
> PS: the above is currently not yet supported for DNSSEC domains!
> 
> -- 
> PowerDNS Website: http://www.powerdns.com/
> Contact us by phone on +31-15-7850372
> 
> _______________________________________________
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users
> 
> 
> ----- End forwarded message -----
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>

v2.23.0 | Report a Bug | By Email