IETF Logo Mail Archive

Re: [DNSOP] status of the aname and svcb/httpsvc drafts

Brian Dickson <brian.peter.dickson@gmail.com> Sun, 23 February 2020 01:12 UTC

Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9E4353A08D2 for <dnsop@ietfa.amsl.com>; Sat, 22 Feb 2020 17:12:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kxCUgnfLDYh9 for <dnsop@ietfa.amsl.com>; Sat, 22 Feb 2020 17:12:00 -0800 (PST)
Received: from mail-ua1-x933.google.com (mail-ua1-x933.google.com [IPv6:2607:f8b0:4864:20::933]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0B6ED3A08D1 for <dnsop@ietf.org>; Sat, 22 Feb 2020 17:11:59 -0800 (PST)
Received: by mail-ua1-x933.google.com with SMTP id y3so2038043uae.3 for <dnsop@ietf.org>; Sat, 22 Feb 2020 17:11:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=yHprprE1eVlIGocGzSddhWVpm2kjN4K5RZHcfJ9syF0=; b=LzT18IeiAkAoE1Ifz6PvAZWMYPGJgrhfChLxqqHncMUeMUcfcC9sC7nhiZQf+Z0a5P y+fKa2DJHO+F3GwpMdjFuiQZPHwriYr6Sx75TIOP58t0JGlZrIL0Oqy/l8oC9aHml4hC hOj4neScZe2e3iOIQZLlQJD8kAda2WNkowryosfbJ1/w1+Fa3MFdz/KzJB4zRGPcJwjd fujLm9MopdmSHM+LaaI+GUbdKB4+UTwBjLjEOBnAJZoYZOi21HchoD8BwRzd37VH3juM BObuHj9FZ/lTvUS2oe4Yfql8wHSZM86UeyLDU9QG+iWKu3uxoAlEKMoJB2A7PezKPfRn 0j6w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=yHprprE1eVlIGocGzSddhWVpm2kjN4K5RZHcfJ9syF0=; b=d/kd7dEXpZ9Q9pFrHn9taSrjZ+Rfkc2bq84U9x6klijdQg4NCtBQ3I7WJPSqmCR5ya 3+cH2kgAcQcmgMJIJhYl0WIzJjJjzLkVcV6kDy2HjtJOIVDjPNHemxBYrJwaaCq4bcxM q7pFsx+8soJ12x4OWhzm5rpB0y9JxYyPLBi54DWcljAvluvh5fhzNWTVQmPhziiop7g9 CnAOVGA0snYc0S5H2oTx2gvgm3NMrUsHNOiQWrVjOUgIZO2WU8ZC/qQA3VF9PvNUuKoQ U0aQB8ysZfqlMWkPuWzUntz2TXjE9ykIh9mRQ0pta09p/l4x/ymniik5LnFZIZ9LJZz7 Jbzg==
X-Gm-Message-State: APjAAAVuD6tx3BhDW+P7bXQzfub9Lky+A9cw+ruRyrfljFcFcebXt5Gl JbqWC3RiI1ydjTLeqhLfFQibJ8ZC5dYi2pAxj+HpOw==
X-Google-Smtp-Source: APXvYqzEWtVc5415hgBwBbJOaZOzFDtCneyRyiQiUIXkt47a9ybfJXbvv58q6rKDqTvgicUjmbzbR481QlKidYwlrXA=
X-Received: by 2002:ab0:74c8:: with SMTP id f8mr21069027uaq.114.1582420318823; Sat, 22 Feb 2020 17:11:58 -0800 (PST)
MIME-Version: 1.0
References: <b34f1b0d-fa65-23d4-1b2b-761b965a2aae@knipp.de> <CAG8jCEzO7zrfL5G5CzdJ=c5wipJgqqHfyeA-a3-QjquoyPYgvg@mail.gmail.com> <3ead518d-f166-1c36-c3e9-18aeb355d160@pletterpet.nl> <20200220221517.GA16177@isc.org> <alpine.DEB.2.20.2002222349530.27562@grey.csi.cam.ac.uk>
In-Reply-To: <alpine.DEB.2.20.2002222349530.27562@grey.csi.cam.ac.uk>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Sat, 22 Feb 2020 17:11:47 -0800
Message-ID: <CAH1iCiq+rOxs9c8zoJhAWbB6-0SP_WC5onF-DrbekwX=8iR49Q@mail.gmail.com>
To: Tony Finch <dot@dotat.at>
Cc: Evan Hunt <each@isc.org>, Matthijs Mekking <matthijs@pletterpet.nl>, "dnsop@ietf.org WG" <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000fd27d3059f33f07b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/U1tR18di8o7gADSXF0zoLbX7Vh0>
Subject: Re: [DNSOP] status of the aname and svcb/httpsvc drafts
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 23 Feb 2020 01:12:02 -0000

On Sat, Feb 22, 2020 at 4:01 PM Tony Finch <dot@dotat.at> wrote:

> Evan Hunt <each@isc.org> wrote:
> >
> > CNAME at the apex wasn't really the problem. Getting browsers to display
> > content from the right CDN server was the problem.
>
> My interest in ANAME is basically nothing to do with CDNs. I want my users
> to be able to configure aliases by name or address without having to deal
> with incomprehensible restrictions. ("It's always a DNS problem") Ideally
> they should be able to configure aliases by name so that those responsible
> for the server can move it around without having to reconfigure ridiculous
> numbers of aliases.
>

I'm not sure if this is a philosophical thing, or a pragmatic thing.

But the root problem with apex aliasing (CNAME/DNAME/ANAME/etc), is the
huge deployed base.
Also, that the original design of DNS didn't have this built in.
And also, that the whole semantic of CNAME usage is hidden from the clients
(things querying DNS), rather than exposed to the applications.
(E.g. should it not be the case that whatever is making the query, itself
be aware of the aliasing?)

Ultimately, I think this boils down to this observation:
DNS zone files are not really a good place to implement any user-exposed
schemes for aliasing, or for maintaining server/name mapping.

Those two things are UI and provisioning, respectively, and both are
probably handled with systems above or outside of DNS, rather than DNS
itself.

UI for the former (that deals with the DNS oddities), and automation or
APIs that deal with the latter.
Whenever there is a need for a bunch of names, plus the apex itself, to be
treated as synonymous, why does it matter which of those is the "target"?
That's really a bike-shed issue, IMHO.
The only time it is a problem, is if the target is external to the zone, in
which case the single instance at the apex is the problem (i.e. the main
issue of the ANAME or HTTPSSVC alias-form).

Moving a server (renumbering, etc), always requires synchronization between
a bunch of systems, only one of which is DNS itself.
E.g. certificate management, networking, etc.
Keeping those in sync requires some tooling.
Thus, adding the DNS component into the tooling doesn't seem to be
cumbersome.
It is perhaps a place where more infrastructure development to handle
scaling is required.

I.e., it'd be nice if DNS could deal with these things better, but it
can't, and it isn't the only possible solution, so, pretty much any other
solution can be made to work.
The choice of which alternative is really an implementation question, which
doesn't require standardization.
It's analogous to meta-data stuff, which also relates to provisioning of
DNS itself.
It's another place where in a parallel universe, it might have been good to
have been included in the design of DNS.

Brian

v2.23.0 | Report a Bug | By Email