IETF Logo Mail Archive

Re: [DNSOP] fyi [Pdns-users] Please test: ALIAS/ANAME apex record in PowerDNS

bert hubert <bert.hubert@netherlabs.nl> Sun, 21 September 2014 18:14 UTC

Return-Path: <ahu@xs.powerdns.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 578FC1A02DC for <dnsop@ietfa.amsl.com>; Sun, 21 Sep 2014 11:14:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.786
X-Spam-Level:
X-Spam-Status: No, score=-0.786 tagged_above=-999 required=5 tests=[RP_MATCHES_RCVD=-0.786] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nwxnsiE8f78F for <dnsop@ietfa.amsl.com>; Sun, 21 Sep 2014 11:14:37 -0700 (PDT)
Received: from xs.powerdns.com (xs.powerdns.com [IPv6:2001:888:2000:1d::2]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 165981A00B0 for <dnsop@ietf.org>; Sun, 21 Sep 2014 11:14:36 -0700 (PDT)
Received: from ahu by xs.powerdns.com with local (Exim 4.71) (envelope-from <ahu@xs.powerdns.com>) id 1XVlec-0001Ni-1o; Sun, 21 Sep 2014 20:14:34 +0200
Date: Sun, 21 Sep 2014 20:14:34 +0200
From: bert hubert <bert.hubert@netherlabs.nl>
To: Paul Hoffman <paul.hoffman@vpnc.org>
Message-ID: <20140921181433.GC16178@xs.powerdns.com>
References: <20140921115222.GB16178@xs.powerdns.com> <412982B8-DBB4-475E-8A85-352AF35B579F@vpnc.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <412982B8-DBB4-475E-8A85-352AF35B579F@vpnc.org>
User-Agent: Mutt/1.5.20 (2009-06-14)
Archived-At: http://mailarchive.ietf.org/arch/msg/dnsop/ieWWvvsvDhzCtpTYwy87s8XX9t0
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] fyi [Pdns-users] Please test: ALIAS/ANAME apex record in PowerDNS
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 21 Sep 2014 18:14:42 -0000

On Sun, Sep 21, 2014 at 08:13:46AM -0700, Paul Hoffman wrote:
> - What happens / should happen if the "@  IN MX 25 outpost.ds9a.nl." record is not in the zone file and the server gets an MX query for example.com?

It proxies that on as an MX query for www.powerdns.com and puts back the
answer. So ALIAS is type transparent.

> > PS: the above is currently not yet supported for DNSSEC domains!
> 
> Can you say (much) more about that aside? Does it mean that the server
> will fail to load the zone if there is DNSSEC records and ALIAS
> pseudo-records?  Or that the DNSSEC gets broken?  Or that the ALIAS gets
> broken?  Or...  ?

In the current branch, it will load the zone, but neglect to add signatures
for the proxied records. In other words, if you do DNSSEC, it will load the
zone but make you BOGUS. 

This is not a fundamental problem as long as we have keys. If you don't have
the keys, we can't sign any how. We'll add the signing code shortly, we just
haven't typed it in yet.

An interesting opening is that we'd be signing potentially unsigned data
this way. Potentially, we should check for the AD bit. But first let's see
how this idea fits.

	Bert

v2.23.0 | Report a Bug | By Email