Re: [DNSOP] I-D Action: draft-ietf-dnsop-aname-00.txt

Willem Toorop <willem@nlnetlabs.nl> Tue, 18 July 2017 13:19 UTC

Return-Path: <willem@nlnetlabs.nl>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8451812EC57 for <dnsop@ietfa.amsl.com>; Tue, 18 Jul 2017 06:19:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.002
X-Spam-Level:
X-Spam-Status: No, score=-7.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nlnetlabs.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sbugEBuiJIv0 for <dnsop@ietfa.amsl.com>; Tue, 18 Jul 2017 06:19:47 -0700 (PDT)
Received: from dicht.nlnetlabs.nl (dicht.nlnetlabs.nl [185.49.140.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C8D7112EC3F for <dnsop@ietf.org>; Tue, 18 Jul 2017 06:19:46 -0700 (PDT)
Received: from [172.20.11.195] (unknown [88.208.89.131]) by dicht.nlnetlabs.nl (Postfix) with ESMTPSA id 072E6B328 for <dnsop@ietf.org>; Tue, 18 Jul 2017 15:19:45 +0200 (CEST)
Authentication-Results: dicht.nlnetlabs.nl; dmarc=none header.from=nlnetlabs.nl
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nlnetlabs.nl; s=default; t=1500383985; bh=WWedVUURWrKfG3b++MK3Ynwpxnf1gvjmCxt34eBLVW8=; h=Subject:To:References:From:Date:In-Reply-To; b=TxZ6jZYMR0QSNc2cxEUR4VTUoimq54btK5AR9dmnK+rsk3rgZGl/dEecqh+paHw2y 0UjIsKQ8FNJUgr1ahUu5ldzenN7ji8uJdIXN+HCdsv7IMbDwS6G706P9GZGgCAuHkc hfWzbRHXJN3JW8vNfsjcHEeTGokuC7KdE03Wl13E=
To: dnsop@ietf.org
References: <149592096439.3966.11385984990945858242@ietfa.amsl.com>
From: Willem Toorop <willem@nlnetlabs.nl>
Message-ID: <0edbf3f2-e575-3b34-d3f2-f1424f29f6e4@nlnetlabs.nl>
Date: Tue, 18 Jul 2017 15:19:44 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <149592096439.3966.11385984990945858242@ietfa.amsl.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-GB
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/kz4uN9PAVfv0K4AR6Q5xAnmtues>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-aname-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Jul 2017 13:19:48 -0000

I support trying to come up with a standards solution for alias names at
the apex.  But....

The dependency on online signing is a little more then just a technical
issue.

Currently the zone owner, the holder of the domain name, is the one
having control over the zone content and as such also the one deciding
who may sign her zone.  She may choose to delegate this to a DNS
operator, or she may decide to sign the zone herself and let the DNS
operator serve the signed zone.

Currently all DNS Resource Records support the "offline" domain-name
holder signed zones mode of DNSSEC.  There is another provisioning
oriented resource record: DNAME.  For DNAME, it is described how
validators can verify that the followed referral matches. The same thing
should be done for ANAME.

It would be a new DNSSEC feature that need to be supported by the DNSSEC
validators.  There has been an earlier instance of the introduction of a
new DNSSEC feature: NSEC3.  The introduction of a DNSSEC compatible
ANAME should be done the same way as how NSEC3 was introduced: introduce
new algorithm numbers that indicate ANAME support.

We currently have 12 DNSSEC algorithms.  The introduction of a new
feature could list these same algorithm from number 17 up to 29, with
the indication that it supports the new DNSSEC features,  ANAME would be
one of them.  NSEC5 another maybe?


Op 27-05-17 om 23:36 schreef internet-drafts@ietf.org:
> 
> A New Internet-Draft is available from the on-line Internet-Drafts directories.
> This draft is a work item of the Domain Name System Operations of the IETF.
> 
>         Title           : Address-specific DNS Name Redirection (ANAME)
>         Authors         : Evan Hunt
>                           Peter van Dijk
>                           Anthony Eden
> 	Filename        : draft-ietf-dnsop-aname-00.txt
> 	Pages           : 10
> 	Date            : 2017-05-27
> 
> Abstract:
>    This document defines the "ANAME" DNS RR type, to provide similar
>    functionality to CNAME, but only redirects type A and AAAA queries.
>    Unlike CNAME, an ANAME can coexist with other record types.  The
>    ANAME RR allows zone owners to redirect queries for apex domain names
>    in a standards compliant manner.
> 
> 
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-ietf-dnsop-aname/
> 
> There are also htmlized versions available at:
> https://tools.ietf.org/html/draft-ietf-dnsop-aname-00
> https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-aname-00
> 
> 
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at tools.ietf.org.
> 
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>