Re: [DNSOP] Minimum viable ANAME

Brian Dickson <brian.peter.dickson@gmail.com> Tue, 26 March 2019 16:22 UTC

Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DA7151205A1 for <dnsop@ietfa.amsl.com>; Tue, 26 Mar 2019 09:22:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tK7viMszmAYG for <dnsop@ietfa.amsl.com>; Tue, 26 Mar 2019 09:22:47 -0700 (PDT)
Received: from mail-qt1-x82c.google.com (mail-qt1-x82c.google.com [IPv6:2607:f8b0:4864:20::82c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0CD5E12059A for <dnsop@ietf.org>; Tue, 26 Mar 2019 09:22:38 -0700 (PDT)
Received: by mail-qt1-x82c.google.com with SMTP id v20so15232747qtv.12 for <dnsop@ietf.org>; Tue, 26 Mar 2019 09:22:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=DIKKsnxCS5rWSpo3jJUOpjrFiLjEnWXYesdtYBYYjBo=; b=auLJCG+MKLY5ACsCF6/gmv8sRTp/snPTIal9BrN+QXFnqQZjzVlDoX2wQCfUapGdd9 O+r1cUmBVldxscF+HuhH17Y8wqYTNAmhIPMj5WwUmxevwzxQzxbHA5QSS2FaCky3QhfC eG2qaMxlk3SRP0fn8+BfC1v5TfLc90Q5hNAV4KJMAnNMgBLe9bp0a8oopIW47jGYH1Td MrU8zTPIw2/zPIeD1JjoMzQaInOQWsdNIwRH5zQhuJkZQ70Ro+v8AtAahHkQdDR/IvBI 6WzjMIv22OqLGFNdDY57i9Hp8f+DznDmPl378JvcdEuDENS8bZXs7cNAATCJYYCQxnSh NZrQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=DIKKsnxCS5rWSpo3jJUOpjrFiLjEnWXYesdtYBYYjBo=; b=Mbq5+JXeo7ogvBsrwSLJ71Hx2nWYEl6BcG+C3PLVYH4FF11nTvpTRdXOwbgsWTTSwA efVGRVFhBMCDtDM6nkxke56JeDouEbn1da0wbm7L22FJW+QQJERQR4ZYUCIH7/Ex3f/P BjwA2MtiQhbXuFESDFfJbhenYf4ce3rfRqzm/r7JBoVCAgu7W+Pi7oximsldfATVEDWj bE0LBosA/oMKBk0yA6vpaY0nPJr3GTRfDejaxkZClrApu5nIK2n7HFbKhzkLPye4G+QA Y0Oq59CbRVktaIYCIILOTFH7UFzRlZxZg9TgBZi29a9unUZTq1LW4Iimioppzttke0yk +IiA==
X-Gm-Message-State: APjAAAXom14WAuaUMN3HJ+7+LxHWssslP1KVayDwH+FeD16upJTcmh9k CBnkG7FRGYosPWAoDpF/+7xGKr6wl8nNHtULFtE=
X-Google-Smtp-Source: APXvYqw+9DlU6gR5DFw6y/BW8Rs9mndxzQW2NftaM5yf9nEsUUA0i21juCQOAUELy1SFkT83UuPQaJHR+dXIz/r1zgs=
X-Received: by 2002:ac8:2b83:: with SMTP id m3mr26293271qtm.305.1553617357156; Tue, 26 Mar 2019 09:22:37 -0700 (PDT)
MIME-Version: 1.0
References: <20180919201401.8E0C220051382A@ary.qy> <08C8A740-D09B-4577-AF2A-79225EDB526B@dotat.at> <20180920061343.GA754@jurassic> <E944887D-51ED-41A0-AC5A-3076743620D8@isoc.org> <acef1f69-8e4f-52cc-dca5-3ada9446e0ee@bellis.me.uk> <CABrJZ5HmCoSsGe2L-JkAsPywhcxyyVkvMmXCvQyJMjWHnMeT_w@mail.gmail.com> <alpine.DEB.2.20.1903261521290.13313@grey.csi.cam.ac.uk> <104ec4ea-296f-1657-5633-f6c1f2684274@pletterpet.nl> <alpine.DEB.2.20.1903261540330.13313@grey.csi.cam.ac.uk>
In-Reply-To: <alpine.DEB.2.20.1903261540330.13313@grey.csi.cam.ac.uk>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Tue, 26 Mar 2019 17:22:25 +0100
Message-ID: <CAH1iCir8kCo9M4BvRiJCZzXK5EHaf9ja96p=kDdzqh-qHkhP+w@mail.gmail.com>
To: Tony Finch <dot@dotat.at>
Cc: Matthijs Mekking <matthijs@pletterpet.nl>, "dnsop@ietf.org WG" <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000b0b552058501baac"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Ze8LEDec3DbOycJyx8xpYvPFcFE>
Subject: Re: [DNSOP] Minimum viable ANAME
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Mar 2019 16:22:55 -0000

I think the one proposal was very client-specific, which kind of ruled it
out for a generic "aname" type.
That was Ray's "HTTP" RRtype, that I did a deep dive on.

Basically, you are correct; the easiest path forward would be for client
software upgrades to get actual DNS records (rather than rely on
getaddrinfo), and do the indirection following (similar to and inclusive of
CNAME and DNAME, in addition to the new "HTTP" type.)

It avoids requiring recursives do the extra handling (analogous to CNAME
chaining and ultimately returning A/AAAA, based on the original QTYPE)
It definitely is the case that there is anti-consensus on the original
ANAME spec which requires sibling records provisioned/populated/maintained
by authority servers -- which is basically fatal to the original ANAME
draft.

I would definitely be willing to work on a true reset of ANAME that goes in
the other direction. I suspect that's what Ray's reset will involve, and I
believe that any effort on the current ANAME before the reset, would likely
be wasted effort. I really want to avoid the issue where those who have, in
good faith, contributed significant effort, want to hold onto that work,
even if that work is ultimately counter-productive.

Please see the discussion on the list from November 2018 timeframe, on the
major issues....

Thanks,
Brian

On Tue, Mar 26, 2019 at 5:10 PM Tony Finch <dot@dotat.at>; wrote:

> Matthijs Mekking <matthijs@pletterpet.nl>; wrote:
> >
> > I think that would be the wrong direction.  I believe there is a need to
> > standardize the ANAME resolution process and so my suggestion would be to
> > reduce the scope by focusing just on how to do that on the provisioning
> side
> > (and leave secondary servers and resolvers out of scope for now).
>
> >From past discussions, I didn't think there was any way we could get
> consensus on the provisioning side.
>
> Dynamic lookups on authoritative servers are out, because it has to be
> compatible with traditional secondaries.
>
> Updates on the primary are out, because that doesn't scale to large
> numbers of zones.
>
> Sometimes a system might have known fallback addresses, but often it won't
> (e.g. whether the DNS setup is or isn't coupled to a web provisioning
> system).
>
> But I think it's reasonable to allow whatever provisioning mechanisms
> there might be, provided the meaning of answers from auth -> rec have a
> consistent meaning that resolvers can use.
>
> It's also really imortant that ANAME can work in multi-provider setups, so
> there needs to be something approaching interoperable semantics for
> importing a zone file into a provisioning system. (Though I think the
> semantics will have to be very loose in this case, to allow for variations
> between existing systems.)
>
> I haven't seen any objections to support for ANAME in recursive servers
> so I'm surprised you think that is problematic enough to be removed. My
> understanding was that recursive support is seen as better than trying to
> do all the tricks on authoritative servers.
>
> Tony.
> --
> f.anthony.n.finch  <dot@dotat.at>;  http://dotat.at/
> safeguard the balance of nature and the environment
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>