Re: [DNSOP] New draft for ALIAS/ANAME type

"John Levine" <> Fri, 31 March 2017 15:34 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 053271294E1 for <>; Fri, 31 Mar 2017 08:34:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id GYXp-3oPNguZ for <>; Fri, 31 Mar 2017 08:34:22 -0700 (PDT)
Received: from ( [IPv6:2001:470:1f06:1126::2]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 5D146126DED for <>; Fri, 31 Mar 2017 08:34:22 -0700 (PDT)
Received: (qmail 83892 invoked from network); 31 Mar 2017 15:34:19 -0000
Received: from unknown ( by with QMQP; 31 Mar 2017 15:34:19 -0000
Date: Fri, 31 Mar 2017 15:33:57 -0000
Message-ID: <20170331153357.6888.qmail@ary.lan>
From: John Levine <>
In-Reply-To: <>
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset="utf-8"
Content-transfer-encoding: 8bit
Archived-At: <>
Subject: Re: [DNSOP] New draft for ALIAS/ANAME type
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 31 Mar 2017 15:34:24 -0000

In article <> you write:
>On 31 Mar 2017, at 1:08, John Levine wrote:
>>> If you sign offline, what happens when the A records change?
>> You Lose(tm).  For that matter, you lose even when the A records don't
>> change since the signer only sees the ANAME, not the A or AAAA.
>There are PowerDNS ALIAS deployments that signs offline (for some 
>stretch of the definition of offline) - every minute. For small zones 
>the NOTIFY+XFR overhead is very tolerable, and the public auths do not 
>need the private key data.

Sure.  That's what I do, too, but I'd call that doing it on the
provisioning side.

>> so I have to do the mail and DNS.  On my server, the aname-like things
>> can specify what server to query as well as what name, so it
>> automatically follows the A and AAAA records that the web host
>> publishes in their DNS.
>You could point your ANAME-aware auth at a specific resolver that has 
>stub zones configured for those domains, and then this would work with 
>ANAME as well.

I don't see the benefit -- that just adds an extra level of kludge
in the middle.  If this is worth doing at (I think it is) why not
just put it into ANAME?

>And, of course, any auth implementer is free to not implement ANAME if he does 
>not like the requirements.

Now we're back to the same issue I raised with BULK.  Everyone now has
to carefully check what features are supported by all of their
secondary servers, as opposed to now where I don't even know or care
what software they use.  Some of us hoped we got over that once DNSSEC
got into the mainstream auth servers.