Re: [DNSOP] New draft for ALIAS/ANAME type
"John Levine" <johnl@taugh.com> Fri, 31 March 2017 15:34 UTC
Return-Path: <johnl@taugh.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 053271294E1 for <dnsop@ietfa.amsl.com>; Fri, 31 Mar 2017 08:34:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GYXp-3oPNguZ for <dnsop@ietfa.amsl.com>; Fri, 31 Mar 2017 08:34:22 -0700 (PDT)
Received: from miucha.iecc.com (abusenet-1-pt.tunnel.tserv4.nyc4.ipv6.he.net [IPv6:2001:470:1f06:1126::2]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5D146126DED for <dnsop@ietf.org>; Fri, 31 Mar 2017 08:34:22 -0700 (PDT)
Received: (qmail 83892 invoked from network); 31 Mar 2017 15:34:19 -0000
Received: from unknown (64.57.183.18) by mail1.iecc.com with QMQP; 31 Mar 2017 15:34:19 -0000
Date: Fri, 31 Mar 2017 15:33:57 -0000
Message-ID: <20170331153357.6888.qmail@ary.lan>
From: John Levine <johnl@taugh.com>
To: dnsop@ietf.org
Cc: peter.van.dijk@powerdns.com
In-Reply-To: <9232F4F4-772F-48AA-80FB-C990662AFD7A@powerdns.com>
Organization:
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset="utf-8"
Content-transfer-encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/cb1mIrPPp_Xo-LcOwgRcTBVkNps>
Subject: Re: [DNSOP] New draft for ALIAS/ANAME type
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Mar 2017 15:34:24 -0000
In article <9232F4F4-772F-48AA-80FB-C990662AFD7A@powerdns.com> you write: >On 31 Mar 2017, at 1:08, John Levine wrote: > >>> If you sign offline, what happens when the A records change? >> >> You Lose(tm). For that matter, you lose even when the A records don't >> change since the signer only sees the ANAME, not the A or AAAA. > >There are PowerDNS ALIAS deployments that signs offline (for some >stretch of the definition of offline) - every minute. For small zones >the NOTIFY+XFR overhead is very tolerable, and the public auths do not >need the private key data. Sure. That's what I do, too, but I'd call that doing it on the provisioning side. >> so I have to do the mail and DNS. On my server, the aname-like things >> can specify what server to query as well as what name, so it >> automatically follows the A and AAAA records that the web host >> publishes in their DNS. > >You could point your ANAME-aware auth at a specific resolver that has >stub zones configured for those domains, and then this would work with >ANAME as well. I don't see the benefit -- that just adds an extra level of kludge in the middle. If this is worth doing at (I think it is) why not just put it into ANAME? >And, of course, any auth implementer is free to not implement ANAME if he does >not like the requirements. Now we're back to the same issue I raised with BULK. Everyone now has to carefully check what features are supported by all of their secondary servers, as opposed to now where I don't even know or care what software they use. Some of us hoped we got over that once DNSSEC got into the mainstream auth servers. R's, John
- [DNSOP] New draft for ALIAS/ANAME type Anthony Eden
- Re: [DNSOP] New draft for ALIAS/ANAME type Pieter Lexis
- Re: [DNSOP] New draft for ALIAS/ANAME type Tony Finch
- Re: [DNSOP] New draft for ALIAS/ANAME type Anthony Eden
- Re: [DNSOP] New draft for ALIAS/ANAME type Bob Harold
- Re: [DNSOP] New draft for ALIAS/ANAME type Ólafur Guðmundsson
- Re: [DNSOP] New draft for ALIAS/ANAME type Richard Gibson
- Re: [DNSOP] New draft for ALIAS/ANAME type John Levine
- Re: [DNSOP] New draft for ALIAS/ANAME type Evan Hunt
- Re: [DNSOP] New draft for ALIAS/ANAME type tjw ietf
- Re: [DNSOP] New draft for ALIAS/ANAME type Tony Finch
- Re: [DNSOP] New draft for ALIAS/ANAME type Peter van Dijk
- Re: [DNSOP] New draft for ALIAS/ANAME type Peter van Dijk
- Re: [DNSOP] New draft for ALIAS/ANAME type John Levine
- Re: [DNSOP] New draft for ALIAS/ANAME type Tim Wicinski
- Re: [DNSOP] New draft for ALIAS/ANAME type Mark Andrews
- Re: [DNSOP] New draft for ALIAS/ANAME type Peter van Dijk
- Re: [DNSOP] New draft for ALIAS/ANAME type John R Levine
- Re: [DNSOP] New draft for ALIAS/ANAME type Tony Finch
- Re: [DNSOP] New draft for ALIAS/ANAME type Tony Finch
- Re: [DNSOP] New draft for ALIAS/ANAME type John Levine
- Re: [DNSOP] New draft for ALIAS/ANAME type Dan York
- Re: [DNSOP] New draft for ALIAS/ANAME type Paul Wouters
- Re: [DNSOP] New draft for ALIAS/ANAME type Peter van Dijk
- [DNSOP] the power of ideas Paul Vixie
- Re: [DNSOP] the power of ideas Dave Crocker
- Re: [DNSOP] New draft for ALIAS/ANAME type Evan Hunt
- Re: [DNSOP] New draft for ALIAS/ANAME type Paul Wouters
- Re: [DNSOP] [Ext] the power of ideas Edward Lewis
- Re: [DNSOP] [Ext] the power of ideas Paul Vixie
- Re: [DNSOP] New draft for ALIAS/ANAME type Matthew Pounsett
- Re: [DNSOP] New draft for ALIAS/ANAME type Tony Finch
- Re: [DNSOP] New draft for ALIAS/ANAME type Matthew Pounsett
- Re: [DNSOP] New draft for ALIAS/ANAME type Petr Špaček
- Re: [DNSOP] New draft for ALIAS/ANAME type Bryan Hughes