Re: [DNSOP] Fundamental ANAME problems

"John R Levine" <johnl@taugh.com> Fri, 02 November 2018 08:03 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D087D12D4F2 for <dnsop@ietfa.amsl.com>; Fri, 2 Nov 2018 01:03:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=WENytH6R; dkim=pass (1536-bit key) header.d=taugh.com header.b=k9r07aUM
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PGR4viyNqP80 for <dnsop@ietfa.amsl.com>; Fri, 2 Nov 2018 01:03:58 -0700 (PDT)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DE04412008A for <dnsop@ietf.org>; Fri, 2 Nov 2018 01:03:57 -0700 (PDT)
Received: (qmail 90752 invoked from network); 2 Nov 2018 08:03:55 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=1627b.5bdc04eb.k1811; bh=QEv/BND5gGVSduFtxFw51KlZ1ODHJnKiO74ExbkFMiE=; b=WENytH6RZZvrcmlSr9yY3elMznJF3Jlo/WYsR+AwiuyGg9f/yM6NWCRh0jmrvRy/QVohrdUZ210KpddtHdk1bay/5aHEEl0c5f3EP8hFvRBwUGH+K7tkvmSXj49CMYFnOhZwyF1pjdZYVTVIWXe4Cp3cmqC+tbLI77M/n7pf4VHvFH5DHfK4jgjSZhtNxjSKvK5UdWcSu5OFApXa37OtqiRKrarEjDEaL2gQTRpjjzu9BIZ1wXsjtg2HKeB0gWJt
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=1627b.5bdc04eb.k1811; bh=QEv/BND5gGVSduFtxFw51KlZ1ODHJnKiO74ExbkFMiE=; b=k9r07aUMVpkOfNfUH+X+gZhTDHsqXZhylj6WLc47ds3y4CPurTBaZ9DYslzR1mmB/1v4O+TXYBaK6+o46IK1CbgGslT1c9OCd3f2ImAS77t+Hib0XxamOmaXolWi1nG33p1eX2wA86du2BkuUdMVaQdO8vDW6h4cVMbTGKGHzJY0c5vebdslw8x12ysbe5/bZDex6AGxxIQHZP5bvykcUcREWNESE2fK9t4BCnrhsrdSmNgcOuH1GZFEe15gYRmn
Received: from localhost ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.2/X.509/AEAD) via TCP6; 02 Nov 2018 08:03:54 -0000
Date: 2 Nov 2018 16:03:50 +0800
Message-ID: <alpine.OSX.2.21.1811021557350.13429@ary.local>
From: "John R Levine" <johnl@taugh.com>
To: "Brian Dickson" <brian.peter.dickson@gmail.com>
Cc: "dnsop@ietf.org WG" <dnsop@ietf.org>
In-Reply-To: <CAH1iCioGbweYndujWRsHFJ5ZJz+NXkL-_cyB13Xq4m5Espbmpw@mail.gmail.com>
References: <CAH1iCirXYsYB3sAo8f1Jy-q4meLmQAPSFO-7x5idDufdT_unXQ@mail.gmail.com> <20181102001431.129AC2007E00AF@ary.local> <CAH1iCioGbweYndujWRsHFJ5ZJz+NXkL-_cyB13Xq4m5Espbmpw@mail.gmail.com>
User-Agent: Alpine 2.21 (OSX 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII; format=flowed
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/cVggL579FGIM20BNIyyOMOlX6xQ>
Subject: Re: [DNSOP] Fundamental ANAME problems
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Nov 2018 08:04:00 -0000

> Did you not read my full message?
> I didn't say don't do that, I said let's do it in an elegant way.
> Then I provided a few examples of how to do that.

I'll defer to other people, but it seems to me that anything that depends 
on recursive DNS servers being updated isn't a realistic solution.  We're 
still waiting for DNSSEC, after all.

> What is being done now is not ANAME by any stretch; it is
> vertically-integrated apex CNAME flattening.

My version periodically fetches the remote A and AAAA records, invents 
local A and AAAA records, and signs them.  It's a kludge, but it gets the 
job done.

With respect to the whole anycast and CDN thing, it is not my impression 
that ANAME hacks are widely used for big sophisticated sites.  Mine are 
used for small biz sites where my user wants to use my mail but someone 
else's web service.

> Can you point me to a non-closed, non-vertically-integrated ANAME-like
> thing that offers interoperable multi-vendor support?

Of course not.  That's why we're talking about ANAME.

Regards,
John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly