[DNSOP] fyi [Pdns-users] Please test: ALIAS/ANAME apex record in PowerDNS

bert hubert <bert.hubert@netherlabs.nl> Sun, 21 September 2014 11:52 UTC

Return-Path: <ahu@xs.powerdns.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9DB6A1A00A9 for <dnsop@ietfa.amsl.com>; Sun, 21 Sep 2014 04:52:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.653
X-Spam-Level:
X-Spam-Status: No, score=-1.653 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, RP_MATCHES_RCVD=-1.652] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PW6EIik8GWKF for <dnsop@ietfa.amsl.com>; Sun, 21 Sep 2014 04:52:26 -0700 (PDT)
Received: from xs.powerdns.com (xs.powerdns.com [IPv6:2001:888:2000:1d::2]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CC5A51A008F for <dnsop@ietf.org>; Sun, 21 Sep 2014 04:52:25 -0700 (PDT)
Received: from ahu by xs.powerdns.com with local (Exim 4.71) (envelope-from <ahu@xs.powerdns.com>) id 1XVfgk-0006rE-E9 for dnsop@ietf.org; Sun, 21 Sep 2014 13:52:22 +0200
Date: Sun, 21 Sep 2014 13:52:22 +0200
From: bert hubert <bert.hubert@netherlabs.nl>
To: dnsop@ietf.org
Message-ID: <20140921115222.GB16178@xs.powerdns.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
User-Agent: Mutt/1.5.20 (2009-06-14)
Archived-At: http://mailarchive.ietf.org/arch/msg/dnsop/R3xnP73ZGNCY6ZHAUFt6W7QO05o
Subject: [DNSOP] fyi [Pdns-users] Please test: ALIAS/ANAME apex record in PowerDNS
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 21 Sep 2014 11:52:28 -0000

Hi everybody,

Your input on the initial implementation described below would be most
appreciated.  I see this as a dns operations issue since it does not
describe an on-the wire change, except when we do AXFR perhaps.  It is
mostly a feature.

However, even features could have interoperability issues, and it would be
nice if we were aligned.

The last forwared paragraph below says "Please let us know your thoughts
based on the semantics outlined above.  Would this work for you?  Do you
miss anything?  Is there a need for multiple ALIAS statements for load
balancing?  Are we needlessly incompatible with existing implementations? 
Is there standardization work we could align against?"

Thanks!

	Bert

----- Forwarded message from bert hubert <bert.hubert@netherlabs.nl> -----

Date: Sun, 21 Sep 2014 12:54:07 +0200
From: bert hubert <bert.hubert@netherlabs.nl>
To: pdns-users@mailman.powerdns.com
Subject: [Pdns-users] Please test: ALIAS/ANAME apex record in PowerDNS

Hi everybody,

Based on strong user interest, we are fast-tracking the implementation of
ALIAS/ANAME records, to solve the 'CNAME at apex' problem. Because of the
fast-tracking, we need rapid feedback to see if we got it right (see the end
of the mail for details).

In short, you can CNAME 'www.yourdomain.com' to a CDN or somewhere else, but
you can't CNAME 'yourdomain.com', since that breaks DNS. This blogpost by
CloudFlare expands on the problem:
https://support.cloudflare.com/hc/en-us/articles/200169056-CNAME-Flattening-RFC-compliant-support-for-CNAME-at-the-root

Today, we implemented ALIAS support as an experimental PowerDNS feature,
which allows the following:

$ORIGIN example.com.
@       IN      SOA     ns1 ahu 2014091619 7200 3600 1209600 3600
@       IN      NS      ns1
@       IN      NS      ns2
www     IN      CNAME   xs.powerdns.com.
ns1     IN      A       1.2.3.4
ns2     IN      A       4.3.2.1
@       IN      ALIAS   www.powerdns.com.
@       IN      MX      25 outpost.ds9a.nl.
elsewhere       IN      CNAME   @

The branch can be found on https://github.com/PowerDNS/pdns/tree/alias and
we should have packages soon. 

The current semantics for the ALIAS pseudo-record are that they only match
if no real record did.  So in the case above, an MX query for example.com
would return "25 outpost.ds9a.nl".  But a query for AAAA would return the
IPv6 address obtained by following the www.powerdns.com CNAME chain to
xs.powerdns.com. This also works for all other record types, btw.

Our implementation uses a defined resolver to look up the actually requested
record, and adds the data found to the packet built so far. This means that
querying 'elsewhere.example.com' will include a CNAME to example.com, which
in turn will lead to processing of the ALIAS record.

Finally, for TTL, we currently use what the resolver gave us. But perhaps we
could use the TTL of the ALIAS record instead, or as a maximum? Or minimum?

Please let us know your thoughts based on the semantics outlined above.
Would this work for you? Do you miss anything? Is there a need for multiple
ALIAS statements for load balancing? Are we needlessly incompatible with
existing implementations? Is there standardization work we could align
against?

Your input is highly welcome!

	Bert

PS: the above is currently not yet supported for DNSSEC domains!

-- 
PowerDNS Website: http://www.powerdns.com/
Contact us by phone on +31-15-7850372

_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users


----- End forwarded message -----