Re: [DNSOP] abandoning ANAME and standardizing CNAME at apex

Evan Hunt <each@isc.org> Sat, 23 June 2018 01:45 UTC

Return-Path: <each@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CEEAB130DD4 for <dnsop@ietfa.amsl.com>; Fri, 22 Jun 2018 18:45:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XQXlUJKn3ANM for <dnsop@ietfa.amsl.com>; Fri, 22 Jun 2018 18:45:03 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D1A81130DCD for <dnsop@ietf.org>; Fri, 22 Jun 2018 18:45:03 -0700 (PDT)
Received: from bikeshed.isc.org (bikeshed.isc.org [149.20.48.19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 941823AB041; Sat, 23 Jun 2018 01:45:03 +0000 (UTC)
Received: by bikeshed.isc.org (Postfix, from userid 10292) id 7A899216C1C; Sat, 23 Jun 2018 01:45:03 +0000 (UTC)
Date: Sat, 23 Jun 2018 01:45:03 +0000
From: Evan Hunt <each@isc.org>
To: John R Levine <johnl@taugh.com>
Cc: dnsop@ietf.org
Message-ID: <20180623014503.GF83312@isc.org>
References: <CAJhMdTO2kj+nUqESg3ew=wwZuB9OzkJE6pST=mae7pHiEk4-Qw@mail.gmail.com> <20180619190213.B76962846E19@ary.qy> <20180622182752.GA83312@isc.org> <alpine.OSX.2.21.1806221517590.29829@ary.qy> <20180623004010.GE83312@isc.org> <alpine.OSX.2.21.1806222114230.31259@ary.qy>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <alpine.OSX.2.21.1806222114230.31259@ary.qy>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/jYYRLDa3NUnsSgH-04ygrFhCsO0>
Subject: Re: [DNSOP] abandoning ANAME and standardizing CNAME at apex
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 23 Jun 2018 01:45:06 -0000

On Fri, Jun 22, 2018 at 09:18:25PM -0400, John R Levine wrote:
> Like I said, it's a disctinction without a difference.

The difference is implememtation complexity, which maybe isn't of concern
to you but has been of concern to some people who argued with me about
ANAME on this basis early on.

You *don't* have to implement a full resolver inside your auth server to
get ANAME to work. That's all I'm trying to make clear.

Your point about having to deal with recursion failures is entirely valid.
It's irreducibly a hack, but I'm still pretty sure a different rrtype than
CNAME will be needed to get anything like this to work reliably.

(And, realistically, it isn't going to be SRV; it's going to have to be
something that browsers get for free just by sending address queries, since
that's all they're willing to do.  A related idea that's occurred to me is
an EDNS option that could be included with a query for example.com/A, which
says "this query originated from a _http._tcp application, so do me a favor
and check for SRV while you're at it, 'k?"  But I'm pretty well convinced
at this point that no browser vendor would ever lift a finger to use that
information no matter how easy we made it for them.  *All* of the
finger-lifting will have to be done in the resolver.)

-- 
Evan Hunt -- each@isc.org
Internet Systems Consortium, Inc.