Re: [DNSOP] I-D Action: draft-ietf-dnsop-aname-01.txt

Evan Hunt <> Fri, 26 January 2018 20:09 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 9D74512DA47 for <>; Fri, 26 Jan 2018 12:09:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.911
X-Spam-Status: No, score=-6.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id kXZeyZa9pXom for <>; Fri, 26 Jan 2018 12:09:44 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 4A7CD12DA41 for <>; Fri, 26 Jan 2018 12:09:44 -0800 (PST)
Received: from ( []) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 4B3B23AB075; Fri, 26 Jan 2018 20:09:42 +0000 (UTC)
Received: by (Postfix, from userid 10292) id 33C39216C1C; Fri, 26 Jan 2018 20:09:42 +0000 (UTC)
Date: Fri, 26 Jan 2018 20:09:42 +0000
From: Evan Hunt <>
To: Stefan Bühler <>
Message-ID: <>
References: <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-aname-01.txt
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 26 Jan 2018 20:09:45 -0000

> I have concerns about the resolver replacing A/AAAA records in signed
> zones as it breaks validation.

What do you mean by "the resolver" in this case?

> If a resolver understanding ANAME is queried using the DO=1 flag it
> shouldn't touch the A/AAAA records, because it already knows the
> requestor would through them away.

It doesn't *know*. DO=1 doesn't mean the client is validating; it means the
client understands RRSIG.

The draft already advises that ANAME will break validation unless the
validator is ANAME-aware or the auth server has access to the zone's
private key and can sign responses on the fly. (This suggests to me that
the use of ANAME in signed zones will probably be limited at first.)

> This also means a caching resolver should store the original A/AAAA
> records (and not the ones resolved through ANAME) in the cache.


> With this change I don't think it makes sense to say "a resolver MUST
> re-query", I'd use "a resolver SHOULD re-query if it didn't use ECS and
> the query didn't use DO=1".

I'm sorry, I'm not getting this. Please explain further, particularly
with an expansion of the word "it"?

> But I'd add "a resolver MUST include ANAME
> RRset in respones to queries for A/AAAA".

Yes, I'd been assuming it would. If I forgot to mention it in the
draft, I'll fix that.

Evan Hunt --
Internet Systems Consortium, Inc.