Re: [DNSOP] I-D Action: draft-ietf-dnsop-aname-00.txt

Willem Toorop <willem@nlnetlabs.nl> Wed, 19 July 2017 09:49 UTC

Return-Path: <willem@nlnetlabs.nl>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0DD42131950 for <dnsop@ietfa.amsl.com>; Wed, 19 Jul 2017 02:49:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.001
X-Spam-Level:
X-Spam-Status: No, score=-7.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nlnetlabs.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iCpipUHz2fNi for <dnsop@ietfa.amsl.com>; Wed, 19 Jul 2017 02:49:39 -0700 (PDT)
Received: from dicht.nlnetlabs.nl (dicht.nlnetlabs.nl [IPv6:2a04:b900::1:0:0:10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8A87E126C0F for <dnsop@ietf.org>; Wed, 19 Jul 2017 02:49:39 -0700 (PDT)
Received: from [IPv6:2001:67c:370:128:1dfc:dfb0:d149:8bac] (unknown [IPv6:2001:67c:370:128:1dfc:dfb0:d149:8bac]) by dicht.nlnetlabs.nl (Postfix) with ESMTPSA id 13FDDBD9D; Wed, 19 Jul 2017 11:49:37 +0200 (CEST)
Authentication-Results: dicht.nlnetlabs.nl; dmarc=none header.from=nlnetlabs.nl
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nlnetlabs.nl; s=default; t=1500457777; bh=YbExPMY5zjNGCNxdTLwe3+/LwBqGpurkrLTU2vuV9Qg=; h=Subject:To:Cc:References:From:Date:In-Reply-To; b=IP61uDPEx5GGXxoHMTxlIXvGOJk0Gip4yyt7Fy0ZRwxNpuGSy8ycX5SrITpEw+sK/ zoIpWFrW7NKX7fYQ5NgtKYD6HhcNTn0dNz28NnA5Ff7LrtAebRokC17sxvVyKb3z+o B7k+e2BG9vx0HpUPVkNOVP+3C6TRysF02XuRQOG0=
To: Tony Finch <dot@dotat.at>
Cc: dnsop@ietf.org
References: <149592096439.3966.11385984990945858242@ietfa.amsl.com> <0edbf3f2-e575-3b34-d3f2-f1424f29f6e4@nlnetlabs.nl> <alpine.DEB.2.11.1707181622300.27210@grey.csi.cam.ac.uk>
From: Willem Toorop <willem@nlnetlabs.nl>
Message-ID: <357beca7-84e5-81b9-5d2e-88a31684625a@nlnetlabs.nl>
Date: Wed, 19 Jul 2017 11:49:35 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <alpine.DEB.2.11.1707181622300.27210@grey.csi.cam.ac.uk>
Content-Type: text/plain; charset=utf-8
Content-Language: en-GB
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Ms9sWCl0mIk_HSMyBLXIccyadWQ>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-aname-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Jul 2017 09:49:41 -0000

Op 18-07-17 om 18:09 schreef Tony Finch:
> The other kind of DNS server that might be able to do something useful
> with ANAME is a recursive server, so it could co-operate nicely with
> authoritative servers that are playing clever tricks. But the rDNS will
> have to be careful about not breaking downstream validators.
> 
> Say (for example) my zone has:
> 
> dotat.at.	ANAME	www.chiark.greenend.org.uk.
> dotat.at.	RRSIG	ANAME
> dotat.at.	A	212.13.197.229
> dotat.at.	RRSIG	A
> dotat.at.	AAAA	2001:ba8:1e3::
> dotat.at.	RRSIG	AAAA
> 
> A client queries its resolver for dotat.at A, but chiark has renumbered,
> so the client gets a response from the ANAME-aware resolver like below. A
> validating ANAME-aware client can see it should use the additional address
> 212.13.197.231 in preference to the address in the answer.
> 
> ; ANSWER
> dotat.at.       A       212.13.197.229
> dotat.at.	RRSIG	A
> 
> ; ADDITIONAL
> dotat.at.       AAAA    2001:ba8:1e3::
> dotat.at.	RRSIG	AAAA
> dotat.at.       ANAME   www.chiark.greenend.org.uk.
> dotat.at.	RRSIG	ANAME
> www.chiark.greenend.org.uk.	A	212.13.197.231
> www.chiark.greenend.org.uk.	RRSIG	A
> www.chiark.greenend.org.uk.	AAAA    2001:ba8:1e3::
> www.chiark.greenend.org.uk.	RRSIG	AAAA
> 
> Note that neither the resolver nor the client needs any algorithm updates
> to avoid being confused by this additional information; they just need a
> code update so that they are able to make good use of it.
> 
> If the resolver knows the client is DNSSEC-oblivious then it can do the
> substitution itself and return a simple answer like this:
> 
> dotat.at.	A	212.13.197.231
> 
> Validating but ANAME-oblivious resolvers won't get to enjoy clever
> latency minimization tricks.

Yes!  This should be included in the aname draft.
Thanks,

-- Willem
> 
> Tony.
>