Re: [DNSOP] abandoning ANAME and standardizing CNAME at apex

Dan York <york@isoc.org> Mon, 17 September 2018 01:18 UTC

Return-Path: <york@isoc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 63C9C130DE0 for <dnsop@ietfa.amsl.com>; Sun, 16 Sep 2018 18:18:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isoc.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WhwXh7d1kbiO for <dnsop@ietfa.amsl.com>; Sun, 16 Sep 2018 18:18:28 -0700 (PDT)
Received: from NAM05-CO1-obe.outbound.protection.outlook.com (mail-eopbgr720069.outbound.protection.outlook.com [40.107.72.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7ACC1130DDC for <dnsop@ietf.org>; Sun, 16 Sep 2018 18:18:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isoc.org; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=OjL6j0NRIT6R764CUqZN/C4SI3fWClna3a0wwJFRRjg=; b=DEEQrL9NjuO5U0vCZ+Gv3O+MAVQc3ylwLw9KTdglmWzlcWC0R2UMUFshBL3RksOlEJbQKdhGKCc8S4FygnKtpjFXMzlc8ZENa63sdA7lU12ygxpxqRQxIKCPG96Z7bylKzMNC7Cnfvd6VOqeSqkFa8dVGmYl1iMb5Qc9XomYTtY=
Received: from BN3PR0601MB1314.namprd06.prod.outlook.com (10.161.210.139) by BN3PR0601MB1940.namprd06.prod.outlook.com (10.165.119.142) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1143.17; Mon, 17 Sep 2018 01:18:24 +0000
Received: from BN3PR0601MB1314.namprd06.prod.outlook.com ([fe80::48ef:b4c8:7b24:247a]) by BN3PR0601MB1314.namprd06.prod.outlook.com ([fe80::48ef:b4c8:7b24:247a%9]) with mapi id 15.20.1143.017; Mon, 17 Sep 2018 01:18:24 +0000
From: Dan York <york@isoc.org>
To: Mukund Sivaraman <muks@mukund.org>
CC: =?utf-8?B?UGV0ciDFoHBhxI1law==?= <petr.spacek@nic.cz>, "dnsop@ietf.org WG" <dnsop@ietf.org>
Thread-Topic: [DNSOP] abandoning ANAME and standardizing CNAME at apex
Thread-Index: AQHUTaOaPs87H1dAlUSfJWna7U2Y+KTzrWCA
Date: Mon, 17 Sep 2018 01:18:24 +0000
Message-ID: <0C475F3C-2220-4CC4-B564-47E7DF83AF6B@isoc.org>
References: <b73f3dc7-b378-d5d8-c7a2-42bc4326fbae@nic.cz> <20180916095655.GA11121@jurassic>
In-Reply-To: <20180916095655.GA11121@jurassic>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=york@isoc.org;
x-originating-ip: [73.38.163.131]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BN3PR0601MB1940; 6:zHp+ln+UxKec6iWP9xdzDePv0Dskqnz+X8n93D2qJBUouKOtGIPUI14LbMA/qhifKUY1BhTW2qyRIPVrwoNFdCATuSsBy68kGyTnqcpb0UKoqX0iWSyq1Bl/pOgRfoU4ZqW6Od2OgV9WImk5pLeAqT1ljyMLOv5qQPXBIPluPAC0jQNznv23N376qYPlnRrjhbREbCBg4oL6cX36OeFWadA4xnYrMPab36lNHW0Hl8SSbo4Rvt0Um9/SZrj0n6IAoBJAm0VM4OySxzZQxfRAI9v0Qppnvit+fbQwpMpe9ZjdKsFsyOmaUirzv8q0V2ZT5cAMzNXoxX2DNCy1pItnVePeb1dgI5w1RP/9EzpChNQ5jvlgUC4oLkLU6N76emcg7/A8g6S5W5B526lQROWCHarnftk/PuYVkULATqXuQuW+x5+KS4zI3yseJDZhsduTOOMRjiKCrVhV188dtlpNQg==; 5:UfRiKhX+50GNNDli8N7AI6SbYA7APLBPnLAcqmOIObT1C5DldNskovK4cTDENhLcnmx7f6xHzH4I57ehUXWwAjhMnr3/HAXUUv06mTdidFB7GpRK1SgQymMC1F9pgwJ4FncL5kdeRc3+rMfwEpV9nCbjeacZtqlp6NEJSviBZ1c=; 7:12DQLUIGkzQPnw+tKRzQYt4qoUhjbc1IgP6qyjq9/hC0UuzLjKC+D5rFPQ8ipPW0OJUARyseMWRHn/mKs3YV8qqNJicwvT6lJ1KmzvBvczuFD6MWO0gbthRQcUarRFmSPuREN0DPDGqQcOhf2q6YDs5clRyrwG+WXv8jtbLDCMTjg7ZmKwRYW58aOT5Uf3wkT/BK02I8GByx17iiI8PQTCBGr1ttQLjB2cZdscZ82vrV06oUAotShxf88SsI2Dea
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: ea852355-a2ef-4230-a77d-08d61c3b7712
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989137)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(5600074)(711020)(2017052603328)(7153060)(7193020); SRVR:BN3PR0601MB1940;
x-ms-traffictypediagnostic: BN3PR0601MB1940:
x-microsoft-antispam-prvs: <BN3PR0601MB1940DDEA379337E9C88C52BEB71E0@BN3PR0601MB1940.namprd06.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(31418570063057);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040522)(2401047)(8121501046)(5005006)(3002001)(3231355)(944501410)(52105095)(10201501046)(93006095)(93001095)(149027)(150027)(6041310)(20161123564045)(20161123558120)(20161123562045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(201708071742011)(7699050); SRVR:BN3PR0601MB1940; BCL:0; PCL:0; RULEID:; SRVR:BN3PR0601MB1940;
x-forefront-prvs: 0798146F16
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(346002)(376002)(366004)(39830400003)(396003)(136003)(199004)(189003)(4326008)(6916009)(236005)(81166006)(81156014)(5660300001)(8676002)(186003)(345774005)(54896002)(105586002)(966005)(2900100001)(606006)(6306002)(102836004)(26005)(14454004)(478600001)(25786009)(14444005)(6436002)(53386004)(53376002)(36756003)(6246003)(7736002)(86362001)(6486002)(68736007)(6512007)(486006)(8936002)(11346002)(256004)(446003)(476003)(2616005)(53936002)(106356001)(97736004)(561944003)(229853002)(99286004)(82746002)(3846002)(6116002)(54906003)(66066001)(2906002)(6506007)(53546011)(76176011)(316002)(33656002)(5250100002)(83716003)(582214001); DIR:OUT; SFP:1101; SCL:1; SRVR:BN3PR0601MB1940; H:BN3PR0601MB1314.namprd06.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: isoc.org does not designate permitted sender hosts)
x-microsoft-antispam-message-info: ldqYBQxFSyeTrBTG7qN9XsjZl07/IuzxsHadgA3RshqPSOX02D2jbhFQ0DzF39LgFOSZe/wjJvJfT3PqFKxZMHgooH4Ct7WtbgoIhB2RoVrlig0ceFcCJDaU9fvFgZ3tfYgAB+kgYHPA/5P3C03KS009XYRBMQpcdypw5g3xp9kL9tCd3CDZUOo0/u8XfugwnZ7BWZL/+okf9nluVm3hYD/d5RmFKKEGcT5MdOnZVgMaWnCkR7oid2F0+ZOpF3/oW/uxudQNAwJy95gYgNc5cgsgChAzCIV8QM2vkLV4LOiNdW7IAXbPrAodEyls8X0FbBMYA/bHapaTWtIqDKFnJTBbhUyOtmeMNoMoRTQLwYQ=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_0C475F3C22204CC4B56447E7DF83AF6Bisocorg_"
MIME-Version: 1.0
X-OriginatorOrg: isoc.org
X-MS-Exchange-CrossTenant-Network-Message-Id: ea852355-a2ef-4230-a77d-08d61c3b7712
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Sep 2018 01:18:24.4372 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 89f84dfb-7285-4810-bc4d-8b9b5794554f
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN3PR0601MB1940
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/aaZ-pBhV-s-ra7isdHP5xft4R0U>
Subject: Re: [DNSOP] abandoning ANAME and standardizing CNAME at apex
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Sep 2018 01:18:33 -0000

Mukund,

Thank you for reviving this conversation. I was just asked last week about the status of this whole debate by someone who was seeking to set up “CNAME at apex”-style records for a variety of domains, all of which would be pointed over to links within various CDNs.

His challenge is that, for a variety of reasons not within his control, his domains are spread across several different CDNs / DNS hosting providers, all of whom do “CNAME at apex” in different ways. (And, if I recall correctly, one provider did NOT support this capability, citing RFC 1035 as their rationale.) The added complexity, and having to be sure he is doing it correctly for each of the different services, is quite frustrating and time consuming.  Meanwhile, he has communications people asking him very strongly for the ability to drop the “www” and just refer to their website addresses as “example.com<http://example.com>/<foo>”.

Hence his question to me about if this was ever going to be “fixed” by the IETF with some kind of standard.

I do think something needs to be done to standardize CNAME (or something very similar) at the apex. For the person with whom I was speaking, all of this websites are set up using various CDNs. So all he can provide is a DNS address in the CDN’s network.  He has no way to get an A or AAAA address as I understand the ANAME proposal would require.

So this is a lengthy way of saying that I would agree with moving ahead with a proposal to allow CNAME at apex, and to start to get resolvers to implement that.  I realize that updating the whole DNS infrastructure is incredibly challenging (we wrote about this with regard to crypto algorithms at https://tools.ietf.org/html/draft-york-dnsop-deploying-dnssec-crypto-algs ).  And so this may not be something widely available for some time.  But if we could get it started, it would definitely help the many people out there trying to configure domains to point to CDNs from their apex.

Dan

--
Dan York
Director, Content & Web Strategy, Internet Society
york@isoc.org<mailto:york@isoc.org>   +1-802-735-1624
Jabber: york@jabber.isoc.org<mailto:york@jabber.isoc.org>  Skype: danyork   http://twitter.com/danyork

http://www.internetsociety.org/

On Sep 16, 2018, at 5:56 AM, Mukund Sivaraman <muks@mukund.org<mailto:muks@mukund.org>> wrote:

Hi Petr

Apologies for the delayed reply.

On Tue, Jun 19, 2018 at 03:18:22PM +0200, Petr Špaček wrote:
Hello dnsop,

beware, material in this e-mail might cause your head to explode :-)

This proposal is based on following observations:
- It seems that DNS protocol police lost battle about CNAME at apex,
 is is deployed on the Internet.
- Major DNS resolvers like BIND, Unbound, PowerDNS Recursor, dnsmasq
 already have code to cope with the "impossible" case of CNAME at the
 apex and deal with it in ways which do not break stuff on resolver
 side.
- Authoritative servers of vendors named above refuse to serve CNAME at
 apex.
- There are CDNs etc. which allow users to create CNAME at apex
 no matter what the standards and "normal" servers say and do.
(We have found out this because Knot Resolver is missing hacks for CNAME
at apex and users complain that "it works with every other resolver".)


Take a deep breath!


Given that resolver side somehow works already ...
could we standardize this obvious violation of RFC 1035?

It is very clear violation of the standard, but almost everyone found
his way around it using different hacks. These hacks are not going away
because all the CDNs just don't care about standards so we will have
to maintain this code no matter what a great solution we will invent for
future. I.e. adding ANAME will just increase complexity because CNAME at
apex will be there for a long time (if not forever).

I personally do not like this but it seems better to think though
corner cases in code we already have in production (i.e. think through
current hacks for CNAME at apex) instead of inventing new things like ANAME
(or whatever else).

Opinions? Tomatoes? Can it work? If not, why not?

To me it seems it can work, and it sounds like a good idea. To relax DNS
protocol for CNAME to co-exist with other RR types, we'd need resolver
support, authoritive support and a time when it is practially usable.

----

Adding resolver support (to resolvers that don't have it, i.e., vs. RFC
1035) does not appear to break current DNS, i.e., it can be proposed
now.

1. When a resolver looks up a RR type in cache, and finds any positive
type match, it serves it.

2. If it does not find a positive type match, but finds a CNAME, it
looks for a negative cache entry for that RR type.

2.a. If a negative cache entry is found (or if it can synthesize one),
it returns/follows the CNAME chain.

2.b. If no negative cache entry is found (and it cannot synthesize one),
it starts a fetch for that type from upstream.

2.b.i. If the fetch returns a CNAME or NODATA, it means that the type
does not co-exist with CNAME in that node in the auth zone. The resolver
adds a negative cache entry for the type for the TTL of the returned
CNAME (or from SOA fields) to the cache, and returns/follows the CNAME
chain.

2.b.ii. If the fetch returns the type, it means that the type may
co-exist with the CNAME. The resolver adds a positive cache entry for
the type and returns the fetched answer.

2.b.iii. If the fetch returns NXDOMAIN, it overwrites the cache for that
node with a negative cache entry.

----

Adding authoriative support would mean relaxing checks and allowing
CNAME to co-exist with other types except non-apex NS (parent of zone
cut), and perhaps allow CNAME and DNAME to co-exist too.

For operators to be able to use it, they would need resolver support to
be available everywhere. I guess nothing stops a draft requiring
resolvers to implement support for it now.

So +1.

Mukund

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org<mailto:DNSOP@ietf.org>
https://www.ietf.org/mailman/listinfo/dnsop