Re: [DNSOP] new ANAME draft: draft-hunt-dnsop-aname-00.txt

Florian Weimer <> Wed, 12 April 2017 08:21 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 8BCE3129ABE for <>; Wed, 12 Apr 2017 01:21:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.923
X-Spam-Status: No, score=-6.923 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 95zyXWHOv4p2 for <>; Wed, 12 Apr 2017 01:21:15 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id DCCAA1270AC for <>; Wed, 12 Apr 2017 01:21:15 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 67C297F081; Wed, 12 Apr 2017 08:21:15 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 67C297F081
Authentication-Results:; dmarc=none (p=none dis=none)
Authentication-Results:; spf=pass
DKIM-Filter: OpenDKIM Filter v2.11.0 67C297F081
Received: from ( []) by (Postfix) with ESMTPS id 6396C189AF; Wed, 12 Apr 2017 08:21:14 +0000 (UTC)
To: Evan Hunt <>
References: <> <> <> <> <> <> <> <> <> <> <>
Cc: Tony Finch <>, dnsop <>, Paul Wouters <>
From: Florian Weimer <>
Message-ID: <>
Date: Wed, 12 Apr 2017 10:21:13 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.79 on
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 ( []); Wed, 12 Apr 2017 08:21:15 +0000 (UTC)
Archived-At: <>
Subject: Re: [DNSOP] new ANAME draft: draft-hunt-dnsop-aname-00.txt
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 12 Apr 2017 08:21:18 -0000

On 04/11/2017 10:47 PM, Evan Hunt wrote:
> On Tue, Apr 11, 2017 at 10:20:31PM +0200, Florian Weimer wrote:
>> And in order to accommodate them, we upgrade the DNS server
>> infrastructure across the Internet?
> Them, and web browser implementers who just don't want to use SRV.

SRV wouldn't work anyway because it is incompatible with existing name 
resolution interfaces anyway.

If you do not insist on using SRV, but something that is just an alias 
(like PTR, ANAME etc.) and processed in the client, it would be quite 
straightforward to put this into the stub resolver, and then all 
applications[*] would automatically get the addresses at the 
substitution name (SNAME).  Disallow multiple substitution names per 
owner name and their chaining (but chaining to CNAME would be okay), and 
I think it would just work.

But then DNS operators will worry about a 50% (from A/AAAA to 
A/AAAA/SNAME) to 150% (from A/AAAA to A/AAAA/SNAME plus A/AAAA at the 
SNAME) increase in query load.  (SRV would be worse because there could 
be multiple target names, all needing separate processing.)  Would that 
be acceptable?  I don't know.

In fact, Firefox already solved the issue in the client: If you enter 
the zone apex, and no address record exists, it automatically redirects 
to the www name in the zone.  Unfortunately, DNS operators broke that 
when they started rewriting NODATA responses, injecting ads into 
existing domains.  So you really have to have addresses at the zone apex 
these days.


[*] At least all applications which correctly deal with enterprise name 
lookup, which can involve NIS and LDAP, too, not just DNS.