Re: [DNSOP] abandoning ANAME and standardizing CNAME at apex

Paul Vixie <> Sun, 24 June 2018 03:36 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id AD73A129619 for <>; Sat, 23 Jun 2018 20:36:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id UZoRQAEN9XEL for <>; Sat, 23 Jun 2018 20:36:11 -0700 (PDT)
Received: from ( [IPv6:2001:559:8000:cd::5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 1A169124BE5 for <>; Sat, 23 Jun 2018 20:36:11 -0700 (PDT)
Received: from [IPv6:2001:559:8000:c9:884e:32fa:afac:1c20] (unknown [IPv6:2001:559:8000:c9:884e:32fa:afac:1c20]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by (Postfix) with ESMTPSA id E1B0189298; Sun, 24 Jun 2018 03:36:10 +0000 (UTC)
Message-ID: <>
Date: Sat, 23 Jun 2018 20:36:10 -0700
From: Paul Vixie <>
User-Agent: Postbox 5.0.25 (Windows/20180328)
MIME-Version: 1.0
To: Joe Abley <>
References: <> <> <> <> <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [DNSOP] abandoning ANAME and standardizing CNAME at apex
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 24 Jun 2018 03:36:13 -0000

Joe Abley wrote:
> On Jun 23, 2018, at 22:45, Paul Vixie<>  wrote:
>> Joe Abley wrote:
>>> I think a pragmatic solution needs to work in unsigned zones.
>>> ...
>> can someone ask the IAB to rule on whether any new internet technology standard should address unsigned DNS zones, or for that matter, IPv4 networks?
>> "let's move on."
> I agree with the sentiment, but in practical terms in 2018 I think
> this is just a recipe for more DNS extensions without standardisation,
> which will not help customers who want diversity in providers or who
> want to be able to switch providers easily.

yes, i know, and i'm strangely OK with that. market chaos will be 
painful, and could drive dnssec adoption, if the only standard way to 
get some cool new thing is if you have an NSEC bitmap to work with.

we should have cut off EDNS-incompatible name service clients and 
servers who could not either implement, or signal nonimplementation 
successfully, after 2004. five years should be enough, but only ever 
will be enough if there's Tough Love somewhere in the equation.

> To the example at hand, enterprise DNS providers have already
> implemented XNAME-like functionality in unsigned zones and and are
> selling it. If they can't easily support a standardised mechanism,
> they're going to carry on selling what they have.

right, which will hurt their addressable market calculations. bring it on!

> ...
> If there was a visible horizon where DNSSEC was in widespread demand
> and a zone being unsigned was unusual, I would think differently.

"cart, meet horse."

P Vixie