Re: [DNSOP] abandoning ANAME and standardizing CNAME at apex

Evan Hunt <each@isc.org> Sat, 23 June 2018 00:40 UTC

Return-Path: <each@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 033E21271FF for <dnsop@ietfa.amsl.com>; Fri, 22 Jun 2018 17:40:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GJAq4amNkwbf for <dnsop@ietfa.amsl.com>; Fri, 22 Jun 2018 17:40:11 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 02529126CB6 for <dnsop@ietf.org>; Fri, 22 Jun 2018 17:40:11 -0700 (PDT)
Received: from bikeshed.isc.org (bikeshed.isc.org [149.20.48.19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id DE4FE3AB05B; Sat, 23 Jun 2018 00:40:10 +0000 (UTC)
Received: by bikeshed.isc.org (Postfix, from userid 10292) id C6D2E216C1C; Sat, 23 Jun 2018 00:40:10 +0000 (UTC)
Date: Sat, 23 Jun 2018 00:40:10 +0000
From: Evan Hunt <each@isc.org>
To: John R Levine <johnl@taugh.com>
Cc: dnsop@ietf.org
Message-ID: <20180623004010.GE83312@isc.org>
References: <CAJhMdTO2kj+nUqESg3ew=wwZuB9OzkJE6pST=mae7pHiEk4-Qw@mail.gmail.com> <20180619190213.B76962846E19@ary.qy> <20180622182752.GA83312@isc.org> <alpine.OSX.2.21.1806221517590.29829@ary.qy>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <alpine.OSX.2.21.1806221517590.29829@ary.qy>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/RLNe8nHn0c3sffV7KkitI5JIbfc>
Subject: Re: [DNSOP] abandoning ANAME and standardizing CNAME at apex
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 23 Jun 2018 00:40:14 -0000

On Fri, Jun 22, 2018 at 03:18:43PM -0400, John R Levine wrote:
> > Minor clarification here: ANAME doesn't require the authoritative server
> > itself to do recursion; it requires it to have access to a reursive
> > server.
> 
> I suppose, but that seems to me a distinction without a difference. 
> Either way we end up importing all of the failure modes of a recursive 
> server into an authoritative one.

I wasn't disagreeing about it being regrettable, I just wanted to nip in
the bud any repeat of the argument that the auth server would itself have
to be upgraded into a recursive server.

The goal of ANAME is for the processing to be done on the resolver side.
Addresses that are included in the authoritative response alongside
ANAME should be ignored by the resolver and re-queried.  But, for the
benefit of legacy resolvers that don't know what to do with an ANAME, the
auth would need to provide some sort of usable answer, which means it has
to be able to look up addresses for the target name (whether it does that
internally or via resolv.conf). It would be nice if that could be avoided,
but there's no straightforward way.

-- 
Evan Hunt -- each@isc.org
Internet Systems Consortium, Inc.