Re: [DNSOP] Minimum viable ANAME

Havard Eidnes <he@uninett.no> Thu, 27 September 2018 09:28 UTC

Return-Path: <he@uninett.no>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 364C6130E29 for <dnsop@ietfa.amsl.com>; Thu, 27 Sep 2018 02:28:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.601
X-Spam-Level:
X-Spam-Status: No, score=-0.601 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=uninett.no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id POjrOrqjupQk for <dnsop@ietfa.amsl.com>; Thu, 27 Sep 2018 02:28:03 -0700 (PDT)
Received: from smistad.uninett.no (smistad.uninett.no [158.38.62.77]) by ietfa.amsl.com (Postfix) with ESMTP id 1DBEC130E00 for <dnsop@ietf.org>; Thu, 27 Sep 2018 02:28:02 -0700 (PDT)
Received: from smistad.uninett.no (smistad.uninett.no [158.38.62.77]) by smistad.uninett.no (Postfix) with ESMTP id 3DB5743EA53; Thu, 27 Sep 2018 11:28:00 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=uninett.no; s=he201803; t=1538040480; bh=JYIhRmTHZfKv/3n/5dnavZRu7WPXLc1E4OOrq0nXxzY=; h=Date:To:Cc:Subject:From:In-Reply-To:References:From; b=UhclJOxpsmg+wcM7SjmrUzLxmfmzdAR000iyeU/NeGOPuQFDoC7ZaSCFlnjPRkPu3 1cw7Qelxvh5pz53HvRLD4kSLifIvN9ZVyOvUGIjUeV8LBGKvuB0jh/ccZIfJREdCg6 MT4gSLFvLdnP5w/qTiRAeS8bT7dPrgHR1/+KrnwY=
Date: Thu, 27 Sep 2018 11:28:00 +0200 (CEST)
Message-Id: <20180927.112800.905303386386746646.he@uninett.no>
To: dot@dotat.at
Cc: johnl@taugh.com, dnsop@ietf.org
From: Havard Eidnes <he@uninett.no>
In-Reply-To: <08C8A740-D09B-4577-AF2A-79225EDB526B@dotat.at>
References: <20180919201401.8E0C220051382A@ary.qy> <08C8A740-D09B-4577-AF2A-79225EDB526B@dotat.at>
X-Mailer: Mew version 6.8 on Emacs 26.1
Mime-Version: 1.0
Content-Type: Text/Plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/gFJTXrXBrIF05yUjj6jQbeDT0eY>
Subject: Re: [DNSOP] Minimum viable ANAME
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Sep 2018 09:28:06 -0000

>> If I look up foo and it has an ANAME to bar, which of these do I get
>> back?
>
> ; ANSWER SECTION
> foo. A 1.2.3.4

Who provides the DNSSEC proof for this record?  AIUI, there is no
A 1.2.3.4 in the "foo." zone originally, but there is an ANAME.
How, then, does this avoid DNSSEC-signing-on-the-fly (which may
be impossible)?

> ; ADDITIONAL SECTION
> foo. ANAME bar.
> bar. A 1.2.3.4

These two can of course easily be DNSSEC-signed, using the
traditional model, as all this data would be "where it belongs".

Regards,

- Håvard