Re: [DNSOP] Minimum viable ANAME

Tony Finch <> Thu, 20 September 2018 13:08 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6783D129C6B for <>; Thu, 20 Sep 2018 06:08:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id pCGyjTxyjm64 for <>; Thu, 20 Sep 2018 06:08:22 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id D3874130EA2 for <>; Thu, 20 Sep 2018 06:08:21 -0700 (PDT)
X-Cam-AntiVirus: no malware found
Received: from ([]:48900) by ( []:25) with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) id 1g2ygt-000i4s-Ld (Exim 4.91) (return-path <>); Thu, 20 Sep 2018 14:08:19 +0100
Date: Thu, 20 Sep 2018 14:08:19 +0100
From: Tony Finch <>
To: Paul Wouters <>
cc: dnsop <>
In-Reply-To: <>
Message-ID: <>
References: <20180919201401.8E0C220051382A@ary.qy> <> <>
User-Agent: Alpine 2.20 (DEB 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Archived-At: <>
Subject: Re: [DNSOP] Minimum viable ANAME
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 20 Sep 2018 13:08:23 -0000

Paul Wouters <> wrote:
> > With this model, signing only happens where it currently happens.
> Good. Although if you want to return bar's IP if it is different from
> foo's IP and for resolvers that don't understand ANAME, you have to
> synthesize these, but at least then it is nor worse then DNS64 with
> respect to DNSSEC.

Who is "you" in this sentence?

If you are a secondary authoritative server, then you're almost certainly
oblivious to the target address records, but even if you do know them, you
aren't able to substitute them because the ANAME's zone is probably signed
and you don't have the keys.

If you are a recursive server, you can substitute if DO=0 or if the
ANAME's zone is unsigned. It would be nice if clients that make DO=1
queries also know about ANAME so they can substitute if required, but that
isn't necessary for correctness.

ANAME is much less bad than DNS64 because DNS64 requires knowledge about
the prefix used for tunneling, whereas ANAME substition doesn't need any
information beyond the additional section of the response you just got.
And ANAME substitution isn't necessary for in the way DNS64 is, i.e.
connectivity works if you don't substitute ANAME sibling address records,
but it doesn't if you lose DNS64 substitution.

f.anthony.n.finch  <>
no one shall be enslaved by poverty, ignorance, or conformity