Re: [DNSOP] New draft for ALIAS/ANAME type

"John Levine" <johnl@taugh.com> Fri, 31 March 2017 15:34 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 053271294E1 for <dnsop@ietfa.amsl.com>; Fri, 31 Mar 2017 08:34:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GYXp-3oPNguZ for <dnsop@ietfa.amsl.com>; Fri, 31 Mar 2017 08:34:22 -0700 (PDT)
Received: from miucha.iecc.com (abusenet-1-pt.tunnel.tserv4.nyc4.ipv6.he.net [IPv6:2001:470:1f06:1126::2]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5D146126DED for <dnsop@ietf.org>; Fri, 31 Mar 2017 08:34:22 -0700 (PDT)
Received: (qmail 83892 invoked from network); 31 Mar 2017 15:34:19 -0000
Received: from unknown (64.57.183.18) by mail1.iecc.com with QMQP; 31 Mar 2017 15:34:19 -0000
Date: 31 Mar 2017 15:33:57 -0000
Message-ID: <20170331153357.6888.qmail@ary.lan>
From: "John Levine" <johnl@taugh.com>
To: dnsop@ietf.org
Cc: peter.van.dijk@powerdns.com
In-Reply-To: <9232F4F4-772F-48AA-80FB-C990662AFD7A@powerdns.com>
Organization:
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset=utf-8
Content-transfer-encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/cb1mIrPPp_Xo-LcOwgRcTBVkNps>
Subject: Re: [DNSOP] New draft for ALIAS/ANAME type
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Mar 2017 15:34:24 -0000

In article <9232F4F4-772F-48AA-80FB-C990662AFD7A@powerdns.com> you write:
>On 31 Mar 2017, at 1:08, John Levine wrote:
>
>>> If you sign offline, what happens when the A records change?
>>
>> You Lose(tm).  For that matter, you lose even when the A records don't
>> change since the signer only sees the ANAME, not the A or AAAA.
>
>There are PowerDNS ALIAS deployments that signs offline (for some 
>stretch of the definition of offline) - every minute. For small zones 
>the NOTIFY+XFR overhead is very tolerable, and the public auths do not 
>need the private key data.

Sure.  That's what I do, too, but I'd call that doing it on the
provisioning side.

>> so I have to do the mail and DNS.  On my server, the aname-like things
>> can specify what server to query as well as what name, so it
>> automatically follows the A and AAAA records that the web host
>> publishes in their DNS.
>
>You could point your ANAME-aware auth at a specific resolver that has 
>stub zones configured for those domains, and then this would work with 
>ANAME as well.

I don't see the benefit -- that just adds an extra level of kludge
in the middle.  If this is worth doing at (I think it is) why not
just put it into ANAME?

>And, of course, any auth implementer is free to not implement ANAME if he does 
>not like the requirements.

Now we're back to the same issue I raised with BULK.  Everyone now has
to carefully check what features are supported by all of their
secondary servers, as opposed to now where I don't even know or care
what software they use.  Some of us hoped we got over that once DNSSEC
got into the mainstream auth servers.

R's,
John