Re: [DNSOP] new ANAME draft: draft-hunt-dnsop-aname-00.txt

"John Levine" <> Fri, 14 April 2017 20:03 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C8C151289B5 for <>; Fri, 14 Apr 2017 13:03:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.12
X-Spam-Status: No, score=-1.12 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id kpOwFrr1n5gu for <>; Fri, 14 Apr 2017 13:03:39 -0700 (PDT)
Received: from ( [IPv6:2001:470:1f07:1126::4945:4343]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 7AE161277BB for <>; Fri, 14 Apr 2017 13:03:39 -0700 (PDT)
Received: (qmail 52442 invoked from network); 14 Apr 2017 20:03:38 -0000
Received: from unknown ( by with QMQP; 14 Apr 2017 20:03:38 -0000
Date: 14 Apr 2017 20:03:16 -0000
Message-ID: <20170414200316.86192.qmail@ary.lan>
From: "John Levine" <>
In-Reply-To: <>
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset=utf-8
Content-transfer-encoding: 8bit
Archived-At: <>
Subject: Re: [DNSOP] new ANAME draft: draft-hunt-dnsop-aname-00.txt
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 14 Apr 2017 20:03:41 -0000

In article <> you write:
>> Wouldn't it be safer to put the ANAME in the additional section?
>My thinking was that given that DNAME got away with being in ANSWER, so 
>could we.

Seems to me that it belongs in the answer section, since for aname-aware
reasolvers the aname is the answer.

>> Do we care about SSHFP?
>I understand the question but I’m uncomfortable extending ANAME beyond 
>address types. I will put it on the list of things that need more thought.

Type bitmaps like the ones in NSEC wouldn't be hard to implement.  Add
some sanity rules saying that type bits for DNSSEC types and the like
are ignored, and it's an error to include any types also present at
the same name.