Re: [DNSOP] Fundamental ANAME problems

"Patrik Fältström " <paf@frobbit.se> Sun, 04 November 2018 11:32 UTC

Return-Path: <paf@frobbit.se>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 92C59129C6A for <dnsop@ietfa.amsl.com>; Sun, 4 Nov 2018 03:32:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.721
X-Spam-Level:
X-Spam-Status: No, score=-1.721 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FROM_EXCESS_BASE64=0.979, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=frobbit.se
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V1sWguos8uKC for <dnsop@ietfa.amsl.com>; Sun, 4 Nov 2018 03:32:04 -0800 (PST)
Received: from mail.frobbit.se (mail.frobbit.se [85.30.129.185]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E3F9212426A for <dnsop@ietf.org>; Sun, 4 Nov 2018 03:32:03 -0800 (PST)
Received: from [192.71.80.208] (vpn-client-208.netnod.se [192.71.80.208]) by mail.frobbit.se (Postfix) with ESMTPSA id 34D662390B; Sun, 4 Nov 2018 12:31:59 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=frobbit.se; s=mail; t=1541331121; bh=X2aX0fxWUk1XrMlC2/DjzxQZ2rdQY+HvG8qcNC0hZNY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=LbzrtZo/eEp6V5/MYR30yS0YKVDcwCnqczjEbnvz8eI3SObWg8cQD60KLnatRaC66 6ydh/yNxEDRjG41myqhrdYyFh5vEjzErYOOy2sZr2Iy/PmuNd+EfAhddPYoUXs5CoQ 01/uIdY6oS0v9Hjt0zif0bVn4wYEHmQE0XLBF7YA=
From: Patrik Fältström <paf@frobbit.se>
To: Ray Bellis <ray@bellis.me.uk>
Cc: dnsop@ietf.org
Date: Sun, 04 Nov 2018 15:31:56 +0400
X-Mailer: MailMate (1.12.1r5552)
Message-ID: <DCBDB76E-E9E8-4FAE-9EF4-56EABFFA9AD1@frobbit.se>
In-Reply-To: <00158263-85dd-69ce-5299-13ff4c2411c5@bellis.me.uk>
References: <CAH1iCirXYsYB3sAo8f1Jy-q4meLmQAPSFO-7x5idDufdT_unXQ@mail.gmail.com> <CA+nkc8C6yVT62cW5QP-ec2ZT7FY_n48Ecr=CLeE6FS_1duBO8g@mail.gmail.com> <CAJhMdTOwU88BkukodL_zXcK1=JenExX4HL46Zzbw=+btLbDG2A@mail.gmail.com> <20181103193258.GE20885@besserwisser.org> <3E93AE5D-C8AC-496E-85DB-57E6F8E92DF5@frobbit.se> <00158263-85dd-69ce-5299-13ff4c2411c5@bellis.me.uk>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=_MailMate_AF615D4A-7640-4B25-B150-76B94443B41F_="; micalg="pgp-sha1"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/OUjgYbVhW29wRNxesh9FeQzSPR4>
Subject: Re: [DNSOP] Fundamental ANAME problems
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 04 Nov 2018 11:32:06 -0000

On 4 Nov 2018, at 11:10, Ray Bellis wrote:

> -1

:-)

> What are the semantics of this?

The semantics is exactly like a CNAME + HTTP Redirect.

Provisioning is like any provisioning in the DNS, with the advantage that you can delegate the prefix:ed domain just like you can do with any _tcp and similar prefix domain to whatever administrative entity that manage the web. You can that way separate the DNS and web administration between two different entities.

That some people want a record at the apex is a big mistake as one that way must mix explicitly the administration of that name between two entities that do different things.

See how well the AD delegation works where you can split the AD functionality from the DNS functionality by doing "the right delegations", which makes enterprise DNS much easier to set up than if (more) stuff is to be entered at the apex.

We have apex overload, and that must be taken care of.

   Patrik

> - What appears in the user's UI when the URI record completely replaces the site name entered by the user?
>
> - Which domain name is the SSL cert validated against?
>
> - Which domain name appears in the HTTP Host: header?
>
> - What is the HTTP "Origin" of the resultint content,
>   and which domain's cookies are accepted / sent?
>
> - What if there's also a URI record for 'example-lb-frontend.hosting.namn.se' ?
>
> - How do I provision a wildcard record for this?
>
> I see absolutely zero chance of the web community embracing this.
>
> Ray
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop