Re: [DNSOP] Fundamental ANAME problems
manu tman <chantr4@gmail.com> Mon, 05 November 2018 12:25 UTC
Return-Path: <chantr4@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F7A3128CFD for <dnsop@ietfa.amsl.com>; Mon, 5 Nov 2018 04:25:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.749
X-Spam-Level:
X-Spam-Status: No, score=-1.749 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QhmUvtTtMjgZ for <dnsop@ietfa.amsl.com>; Mon, 5 Nov 2018 04:25:50 -0800 (PST)
Received: from mail-it1-x132.google.com (mail-it1-x132.google.com [IPv6:2607:f8b0:4864:20::132]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 056BA1298C5 for <dnsop@ietf.org>; Mon, 5 Nov 2018 04:25:50 -0800 (PST)
Received: by mail-it1-x132.google.com with SMTP id e11so8966924itl.5 for <dnsop@ietf.org>; Mon, 05 Nov 2018 04:25:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=4+zkzby8BrVhi3xy/mXZjjgdHJcrZlzVrXSlKuQSikQ=; b=gU36vphlYqe/f49xSFCQBeIEQ6sZs64oTgjKHm+OFiZnU2Zn4pGVSXRbXn+UE+YL05 HhYEzRSbbI7ndH9iqnRpqjVCXhoYaqY+mAyOz9i0mUiPIEL/WEVFNnLAxdf+UzmXa9bd IkhtJ1NGNVrtpWc0VnPrZY9JXB4IduRZy7UvRWs3YKiq0GkP70Dv3WE15U1oDekK9oiA 2jKP9uAeGEbyNemTsApT05cX05NL30y7KCaH7msoghEnDlDTjfBPywjkgaE8UFt9cjYp ta4pYOccyp/2EFH8N6SYeJDlTXiR0SSdbHlqETe1maeBC0neXXLzqeKrfNWaKi8fibOa r2Ww==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=4+zkzby8BrVhi3xy/mXZjjgdHJcrZlzVrXSlKuQSikQ=; b=og0omm6lmRfg7W65h36NV01T84Z0bvACG/QxM0QHEVfMDYohkEPllEvJ1KRFsTs1pU +g0Ki+qL8K7iblAbPrFMgc4/nCbSZpz4Uq7nMDMjKn3+pJ1J+h7NKKz58232UJw4Zs4w eiOh6ZjkHOcPdzDEvnC10Qg3dCe07HawDZfh8B/elMgAqaNEc4tyVnEmvEU9w35XAfFb bC1VBF6/Xbi2OKsvI8PRpUuAgN55T2VaD8i2/zkGmEBSw4t9huI3kmYevlc2je4R3MQD E4HiCXC6BNO6x2sXHAO4Fs2sDGaVXuKgbIP67RUMg92cbMgrNplgPzAUjvpEPbT1OWZ/ DzaA==
X-Gm-Message-State: AGRZ1gIrO1t42vT5ld3neEAA6V88Wh21NytV510beWNExk8Pa1O1BdWc +kbSum8A36bSvsJvRkE87XSIzCBp8o8Py+nmtvg=
X-Google-Smtp-Source: AJdET5dd0GvnEi5F99k64mwM+NrSBiU1cY1Gbsx8efX5p63BUuHTIDt1Wl/4I52nhsb+utfFQ8a2CripNJF8R6VK/Ig=
X-Received: by 2002:a24:7fc8:: with SMTP id r191-v6mr6616110itc.107.1541420749151; Mon, 05 Nov 2018 04:25:49 -0800 (PST)
MIME-Version: 1.0
References: <CAH1iCirXYsYB3sAo8f1Jy-q4meLmQAPSFO-7x5idDufdT_unXQ@mail.gmail.com> <alpine.DEB.2.20.1811021543210.24450@grey.csi.cam.ac.uk> <20181105083526.GA12204@besserwisser.org>
In-Reply-To: <20181105083526.GA12204@besserwisser.org>
From: manu tman <chantr4@gmail.com>
Date: Mon, 05 Nov 2018 19:25:37 +0700
Message-ID: <CAArYzrK9J+Lp7TOMQ=5YRtDSEU1+AdNX5yvGCTyxDcU3B8x40Q@mail.gmail.com>
To: mansaxel@besserwisser.org
Cc: dot@dotat.at, dnsop <dnsop@ietf.org>, brian.peter.dickson@gmail.com
Content-Type: multipart/alternative; boundary="00000000000033e87b0579e9fc15"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/RtV6Zq2AN-db5YnjEHcKBg-zMcU>
Subject: Re: [DNSOP] Fundamental ANAME problems
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Nov 2018 12:25:51 -0000
I like the ANAME idea and find it overall simple if what we are trying to solve is CNAME at apex. If what is being solved is per service then it is another story. As much as I like it, I find the resolution at the auth nameserver a bad thing for a couple of reasons. As has been mentioned before: 1) it will add workload on the authoritative nameserver which so far was mostly doing key/value lookups and now may need to either recurse or forward to a recursor. 2) the resolution from such lookup will be wrong for resolver/ecs based answers as you will now get an answer for the recursor at the authoritative site instead of the client (recursor talking to the auth or ECS). While doing per site ANAME resolution may make the answers a bit more accurate, it will definitely not help with operations. if someone want to do the chaining, I guess they could already do it with some tooling on their side which will perform regular lookup and update their zones so essentially making the ANAME resolution an out of band task. If all that was required was to return an ANAME in the additional section, it would be pretty straightforward to implement on the authoritative side and add no complexity there neither workload (or very minimal). On the recursor side, this will most likely heavily reuse the CNAME logic and may not be that complex to implement (implementors may tell otherwise). Recursors that understand ANAMES will be able to treat it as a CNAME and follow the name chain just like for CNAME. If they don't, well nothing has changed for them. It may take time before it gets widely deployed, but it would be a simple solution that could be easily implemented by the auth that are interested in it, gets picked up as the recursors get upgraded and be backward compatible during the transition phase. Manu On Mon, Nov 5, 2018 at 3:35 PM Måns Nilsson <mansaxel@besserwisser.org> wrote: > Subject: Re: [DNSOP] Fundamental ANAME problems Date: Fri, Nov 02, 2018 at > 04:39:09PM +0000 Quoting Tony Finch (dot@dotat.at): > > It's really good to see more discussion about ANAME. > > I agree. > > > I think a resolver-side or client-side alternative (like the various > > web-specific record types we have been discussing) is defintely soemthing > > we should aim for in the long term, but that isn't what this work is > > about. > > IMNSHO _any_ work on "fixing CNAMES at apex" that gets traction is > a spanner in the works for what we seem to agree is a better solution. > A interim fix will be deployed and stall every attempt at DTRT. > > I am well aware of "perfect being the enemy of good enough" but I'm not > certain DNAME is "good enough". > > -- > Måns Nilsson primary/secondary/besserwisser/machina > MN-1334-RIPE SA0XLR +46 705 989668 > Now KEN and BARBIE are PERMANENTLY ADDICTED to MIND-ALTERING DRUGS ... > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop >
- [DNSOP] Fundamental ANAME problems Brian Dickson
- Re: [DNSOP] Fundamental ANAME problems John Levine
- Re: [DNSOP] Fundamental ANAME problems Brian Dickson
- Re: [DNSOP] Fundamental ANAME problems John R Levine
- Re: [DNSOP] Fundamental ANAME problems Paul Vixie
- Re: [DNSOP] Fundamental ANAME problems Matthijs Mekking
- Re: [DNSOP] Fundamental ANAME problems Tony Finch
- Re: [DNSOP] Fundamental ANAME problems Måns Nilsson
- Re: [DNSOP] Fundamental ANAME problems Erik Nygren
- Re: [DNSOP] Fundamental ANAME problems Bob Harold
- Re: [DNSOP] Fundamental ANAME problems Richard Gibson
- Re: [DNSOP] Fundamental ANAME problems Paul Vixie
- Re: [DNSOP] Fundamental ANAME problems Christian Huitema
- Re: [DNSOP] Fundamental ANAME problems John R Levine
- Re: [DNSOP] Fundamental ANAME problems Lanlan Pan
- Re: [DNSOP] Fundamental ANAME problems Joe Abley
- Re: [DNSOP] Fundamental ANAME problems Måns Nilsson
- Re: [DNSOP] Fundamental ANAME problems Patrik Fältström
- Re: [DNSOP] Fundamental ANAME problems Ray Bellis
- Re: [DNSOP] Fundamental ANAME problems Paul Vixie
- Re: [DNSOP] Fundamental ANAME problems Ray Bellis
- Re: [DNSOP] Fundamental ANAME problems Brian Dickson
- Re: [DNSOP] Fundamental ANAME problems Patrik Fältström
- Re: [DNSOP] Fundamental ANAME problems Ray Bellis
- Re: [DNSOP] Fundamental ANAME problems Ray Bellis
- Re: [DNSOP] Fundamental ANAME problems Paul Ebersman
- Re: [DNSOP] Fundamental ANAME problems Paul Ebersman
- Re: [DNSOP] Fundamental ANAME problems Ray Bellis
- [DNSOP] CNAME at apex - a website publisher persp… Dan York
- Re: [DNSOP] Fundamental ANAME problems Måns Nilsson
- Re: [DNSOP] Fundamental ANAME problems Joe Abley
- Re: [DNSOP] Fundamental ANAME problems manu tman
- Re: [DNSOP] Fundamental ANAME problems Ray Bellis
- Re: [DNSOP] Fundamental ANAME problems Paul Ebersman
- Re: [DNSOP] Fundamental ANAME problems Jim Reid
- Re: [DNSOP] Fundamental ANAME problems Paul Vixie
- Re: [DNSOP] Fundamental ANAME problems Paul Vixie
- Re: [DNSOP] Fundamental ANAME problems Ray Bellis
- Re: [DNSOP] Fundamental ANAME problems Ray Bellis
- Re: [DNSOP] Fundamental ANAME problems Paul Vixie
- Re: [DNSOP] Fundamental ANAME problems Mark Andrews
- Re: [DNSOP] Fundamental ANAME problems Tony Finch
- Re: [DNSOP] Fundamental ANAME problems Mark Andrews
- Re: [DNSOP] Fundamental ANAME problems Patrik Fältström
- Re: [DNSOP] Fundamental ANAME problems Joe Abley
- Re: [DNSOP] Fundamental ANAME problems Ray Bellis
- Re: [DNSOP] Fundamental ANAME problems Olli Vanhoja
- Re: [DNSOP] Fundamental ANAME problems Thomas Peterson
- Re: [DNSOP] Fundamental ANAME problems Tony Finch
- Re: [DNSOP] Fundamental ANAME problems Joe Abley
- Re: [DNSOP] Fundamental ANAME problems Patrik Fältström
- Re: [DNSOP] Fundamental ANAME problems Dan York
- [DNSOP] Further ANAME minimization /\ Ray converg… Tony Finch
- Re: [DNSOP] Fundamental ANAME problems Ray Bellis
- Re: [DNSOP] Fundamental ANAME problems Ray Bellis
- Re: [DNSOP] Fundamental ANAME problems Ray Bellis
- Re: [DNSOP] Further ANAME minimization /\ Ray con… Ray Bellis
- Re: [DNSOP] Fundamental ANAME problems Tony Finch
- Re: [DNSOP] Further ANAME minimization /\ Ray con… Ray Bellis
- Re: [DNSOP] Further ANAME minimization /\ Ray con… Tony Finch
- Re: [DNSOP] Fundamental ANAME problems Patrik Fältström
- Re: [DNSOP] Further ANAME minimization /\ Ray con… Matthijs Mekking
- Re: [DNSOP] Further ANAME minimization /\ Ray con… Richard Gibson
- Re: [DNSOP] Further ANAME minimization /\ Ray con… Tim Wicinski
- Re: [DNSOP] Further ANAME minimization /\ Ray con… Ray Bellis
- Re: [DNSOP] Further ANAME minimization /\ Ray con… Michael J. Sheldon
- Re: [DNSOP] Further ANAME minimization /\ Ray con… tjw ietf
- Re: [DNSOP] Further ANAME minimization /\ Ray con… Kevin Darcy
- Re: [DNSOP] Fundamental ANAME problems Richard Gibson
- Re: [DNSOP] Fundamental ANAME problems Matthijs Mekking
- Re: [DNSOP] Fundamental ANAME problems Tim Wicinski
- Re: [DNSOP] Fundamental ANAME problems Tony Finch
- Re: [DNSOP] Fundamental ANAME problems Bob Harold
- Re: [DNSOP] Fundamental ANAME problems Richard Gibson
- Re: [DNSOP] Fundamental ANAME problems Matthijs Mekking
- Re: [DNSOP] Fundamental ANAME problems Thomas Peterson
- Re: [DNSOP] Fundamental ANAME problems Tim Wicinski