Re: [DNSOP] abandoning ANAME and standardizing CNAME at apex

Tim Wicinski <tjw.ietf@gmail.com> Thu, 05 July 2018 15:28 UTC

Return-Path: <tjw.ietf@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 62DF4130F1C for <dnsop@ietfa.amsl.com>; Thu, 5 Jul 2018 08:28:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qVw8PSKY3AHr for <dnsop@ietfa.amsl.com>; Thu, 5 Jul 2018 08:28:35 -0700 (PDT)
Received: from mail-wr1-x42c.google.com (mail-wr1-x42c.google.com [IPv6:2a00:1450:4864:20::42c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2569D130F25 for <dnsop@ietf.org>; Thu, 5 Jul 2018 08:28:35 -0700 (PDT)
Received: by mail-wr1-x42c.google.com with SMTP id c13-v6so1365338wrt.1 for <dnsop@ietf.org>; Thu, 05 Jul 2018 08:28:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=lyoWpS/Ff3JLCEQfinwPdNLoQsS4Cs0EgKpUkkFuXqU=; b=tHuT7eP+1JN8mPelJh7hDNwH4WTjXQZE3eZ8sQDOD1HxO55IOGAyIdK8VhamfEnCFj 6EdG+qBIFhDTdcZ2ADp56W+hHjbIxTxQyE+QXDN0bki0HbV/cnSiS7D38ECs/MAf9mua vzB2PsnXr+u68RsMnqs/RAB4SPlco8n6cOYVdCrLTTf1qmi85GIWFScLBCNdROX5u3v0 8aV5rPaVRNOd0sDNpJgKgoCFDlTc5VthZItdbkgXHcxwLxnUtLRC6feTvsVZJMH1Kxem RfF9KD6rA+70LX2m+41HIBchdOodlpX+HpN797GFerZt6JDaznheuD2ZRZQKaSgXZRdU GDFA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=lyoWpS/Ff3JLCEQfinwPdNLoQsS4Cs0EgKpUkkFuXqU=; b=K+Xx5Xmf+lTc0oHDjLOjr2+JHGc+NdOANppb6P1m40zH33JgUAjA396m94oovHrHIN m5FUby5lHuVBBWZBJvKBYNoVbSOzs5ge38E+bTfYA8HaioxSmuw/HMs3q9A1D0srqnAz wLAANxPypZqt59xRZtNZuJHiC7mAr9BcIRjmKfclIj5YboxJ8O108fyJLMYeGopQLiEM Nhrlb8G1CyBmbZfNtJbGUUwkZ0uzF1dmO27qvoWsykHDpXYYZ6lssIyO7LZP/i40NPK/ 7n9oZe97z2lg08vKr7oNxQajEBmGYO+UMHLDl/9C45KYYEN+5xxtGb5d9nZ+SwTH5fxi e48A==
X-Gm-Message-State: APt69E38LCpd0wcJ8bD1yiwdZLsbXBAxOlbWUmok5dCinMzShkbQhf7f SugXkBL3LeS433XicKOzMPvn8NKXLJxYCEmR5kc=
X-Google-Smtp-Source: AAOMgpekuLkYYpdO8B3qffuv9ABiK/EJz0eBqwVE/Tv9nyfdL07g0TuDf3U+zzSE+ArBmIN6kl8vJfW3BdlNp/cW3V8=
X-Received: by 2002:adf:f002:: with SMTP id j2-v6mr4613948wro.260.1530804513418; Thu, 05 Jul 2018 08:28:33 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:adf:a414:0:0:0:0:0 with HTTP; Thu, 5 Jul 2018 08:28:32 -0700 (PDT)
In-Reply-To: <5B311FB1.3040304@redbarn.org>
References: <CAJhMdTO2kj+nUqESg3ew=wwZuB9OzkJE6pST=mae7pHiEk4-Qw@mail.gmail.com> <20180619190213.B76962846E19@ary.qy> <20180622182752.GA83312@isc.org> <af9b422a-90a0-b204-70d6-12566d7b65dc@bellis.me.uk> <alpine.DEB.2.11.1806251459510.916@grey.csi.cam.ac.uk> <alpine.LRH.2.21.1806251104490.18905@bofh.nohats.ca> <alpine.DEB.2.11.1806251637060.916@grey.csi.cam.ac.uk> <alpine.LRH.2.21.1806251240410.32227@bofh.nohats.ca> <alpine.DEB.2.11.1806251756120.916@grey.csi.cam.ac.uk> <5B311FB1.3040304@redbarn.org>
From: Tim Wicinski <tjw.ietf@gmail.com>
Date: Thu, 5 Jul 2018 11:28:32 -0400
Message-ID: <CADyWQ+G-RabH8JyOOEhmf6nf5vT3bWb__xW_DSYyTYx-iKNKiw@mail.gmail.com>
To: dnsop <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000003e4506057042333d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/kSN2fSCKaPYbqgdmp6MyD3p4HVA>
Subject: Re: [DNSOP] abandoning ANAME and standardizing CNAME at apex
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Jul 2018 15:28:50 -0000

All

Thanks for this highly entertaining and also information conversation.  I
apologize for kicking up the dust but I feel this is one of those
conversations where the end-users/operators and protocol people are
disconnected.    I do know when we talked with several DNS providers about
a standard was of synthesizing names at the apex, we encountered a similar
level of pushback.  Most of them spent the time explaining how
sophisticated their method was over Vendor Y.

But I don't think it's an impossible problem to solve, and this thread is
full of very smart people attempting to do that.   I admit I look at this
problem too much through the lens of someone who thinks about operational
issues. (I am probably not the only one here who was paged in the middle of
the night when someone rolled out 9.12 without reading the fine print).

What we do know is:

 - We're not going to do SRV records (sorry Mark).
 - We're not going to ask the IAB to give a waiver on DNSSEC.
 - We still bang into each other over this.

The chairs have decided to set aside some time in Montreal and see if we
can work through this problem.  We've asked Ondřej  from ISC and Willem
from NLnetLabs to help guide the talk.

Thanks
Tim




On Mon, Jun 25, 2018 at 1:00 PM, Paul Vixie <paul@redbarn.org>; wrote:

>
>
> Tony Finch wrote:
>
>> Paul Wouters<paul@nohats.ca>;  wrote:
>>
>>> I understand, I just disagree this is the right way. I don't see why
>>> this entire problem shouldn't be resolved at the well, resolver level.
>>>
>>
>> I don't see how that can be deployed in a way that is compatible with
>> existing software.
>>
>
> there are now a half dozen x.x.x.x (where x is the same in all four
> octets) public anycast resolvers. if they can all be upgraded to handle
> dnssec or ECS, they can all be upgraded to handle something like ANAME.
>
> the "resolver" here is the recursive, not the stub. stubs believe what
> they hear, for good or ill. if we need to change what they hear, it's not
> as impossible as changing what they understand.
>
> --
> P Vixie
>
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>