Re: [DNSOP] I-D Action: draft-ietf-dnsop-aname-00.txt
Willem Toorop <willem@nlnetlabs.nl> Wed, 19 July 2017 09:49 UTC
Return-Path: <willem@nlnetlabs.nl>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0DD42131950 for <dnsop@ietfa.amsl.com>; Wed, 19 Jul 2017 02:49:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.001
X-Spam-Level:
X-Spam-Status: No, score=-7.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nlnetlabs.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iCpipUHz2fNi for <dnsop@ietfa.amsl.com>; Wed, 19 Jul 2017 02:49:39 -0700 (PDT)
Received: from dicht.nlnetlabs.nl (dicht.nlnetlabs.nl [IPv6:2a04:b900::1:0:0:10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8A87E126C0F for <dnsop@ietf.org>; Wed, 19 Jul 2017 02:49:39 -0700 (PDT)
Received: from [IPv6:2001:67c:370:128:1dfc:dfb0:d149:8bac] (unknown [IPv6:2001:67c:370:128:1dfc:dfb0:d149:8bac]) by dicht.nlnetlabs.nl (Postfix) with ESMTPSA id 13FDDBD9D; Wed, 19 Jul 2017 11:49:37 +0200 (CEST)
Authentication-Results: dicht.nlnetlabs.nl; dmarc=none header.from=nlnetlabs.nl
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nlnetlabs.nl; s=default; t=1500457777; bh=YbExPMY5zjNGCNxdTLwe3+/LwBqGpurkrLTU2vuV9Qg=; h=Subject:To:Cc:References:From:Date:In-Reply-To; b=IP61uDPEx5GGXxoHMTxlIXvGOJk0Gip4yyt7Fy0ZRwxNpuGSy8ycX5SrITpEw+sK/ zoIpWFrW7NKX7fYQ5NgtKYD6HhcNTn0dNz28NnA5Ff7LrtAebRokC17sxvVyKb3z+o B7k+e2BG9vx0HpUPVkNOVP+3C6TRysF02XuRQOG0=
To: Tony Finch <dot@dotat.at>
Cc: dnsop@ietf.org
References: <149592096439.3966.11385984990945858242@ietfa.amsl.com> <0edbf3f2-e575-3b34-d3f2-f1424f29f6e4@nlnetlabs.nl> <alpine.DEB.2.11.1707181622300.27210@grey.csi.cam.ac.uk>
From: Willem Toorop <willem@nlnetlabs.nl>
Message-ID: <357beca7-84e5-81b9-5d2e-88a31684625a@nlnetlabs.nl>
Date: Wed, 19 Jul 2017 11:49:35 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <alpine.DEB.2.11.1707181622300.27210@grey.csi.cam.ac.uk>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-GB
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Ms9sWCl0mIk_HSMyBLXIccyadWQ>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-aname-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Jul 2017 09:49:41 -0000
Op 18-07-17 om 18:09 schreef Tony Finch: > The other kind of DNS server that might be able to do something useful > with ANAME is a recursive server, so it could co-operate nicely with > authoritative servers that are playing clever tricks. But the rDNS will > have to be careful about not breaking downstream validators. > > Say (for example) my zone has: > > dotat.at. ANAME www.chiark.greenend.org.uk. > dotat.at. RRSIG ANAME > dotat.at. A 212.13.197.229 > dotat.at. RRSIG A > dotat.at. AAAA 2001:ba8:1e3:: > dotat.at. RRSIG AAAA > > A client queries its resolver for dotat.at A, but chiark has renumbered, > so the client gets a response from the ANAME-aware resolver like below. A > validating ANAME-aware client can see it should use the additional address > 212.13.197.231 in preference to the address in the answer. > > ; ANSWER > dotat.at. A 212.13.197.229 > dotat.at. RRSIG A > > ; ADDITIONAL > dotat.at. AAAA 2001:ba8:1e3:: > dotat.at. RRSIG AAAA > dotat.at. ANAME www.chiark.greenend.org.uk. > dotat.at. RRSIG ANAME > www.chiark.greenend.org.uk. A 212.13.197.231 > www.chiark.greenend.org.uk. RRSIG A > www.chiark.greenend.org.uk. AAAA 2001:ba8:1e3:: > www.chiark.greenend.org.uk. RRSIG AAAA > > Note that neither the resolver nor the client needs any algorithm updates > to avoid being confused by this additional information; they just need a > code update so that they are able to make good use of it. > > If the resolver knows the client is DNSSEC-oblivious then it can do the > substitution itself and return a simple answer like this: > > dotat.at. A 212.13.197.231 > > Validating but ANAME-oblivious resolvers won't get to enjoy clever > latency minimization tricks. Yes! This should be included in the aname draft. Thanks, -- Willem > > Tony. >
- [DNSOP] I-D Action: draft-ietf-dnsop-aname-00.txt internet-drafts
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-aname-00… Willem Toorop
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-aname-00… Andrew Sullivan
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-aname-00… Tony Finch
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-aname-00… Andrew Sullivan
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-aname-00… Tony Finch
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-aname-00… Willem Toorop
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-aname-00… Stephane Bortzmeyer
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-aname-00… Tony Finch
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-aname-00… Wessels, Duane