Re: [DNSOP] abandoning ANAME and standardizing CNAME at apex

Joe Abley <> Sun, 24 June 2018 02:43 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5DD98127598 for <>; Sat, 23 Jun 2018 19:43:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id zDS3JfvrzD04 for <>; Sat, 23 Jun 2018 19:43:22 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4010:c07::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 5AFAF1271FF for <>; Sat, 23 Jun 2018 19:43:22 -0700 (PDT)
Received: by with SMTP id g21-v6so11895640lfb.4 for <>; Sat, 23 Jun 2018 19:43:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=from:mime-version:references:in-reply-to:date:message-id:subject:to; bh=//zIAG5QTsfEKFaFQqYDlq3bZGmmtVoEAe508UQKNhw=; b=gLaCmLxf9sxp1KZhQuGVnCegMONYeFnVuo/k4IX3hEIVzMis+q3uTj31C2w3o6SSei 8CF5SR64hOy7QhWjiQ+Nt354vbZu/thv+54kQX4f1ypBimhkdwsJPKY/znVItWzHvvIp toMf6X/4rrFNselC4HH+ehIWRsz0+nccNyo7A=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:from:mime-version:references:in-reply-to:date :message-id:subject:to; bh=//zIAG5QTsfEKFaFQqYDlq3bZGmmtVoEAe508UQKNhw=; b=KXEV2KwLBlyZwNo6MbRgZw8+XSSDhhqSD59TWG2T8R2e6zwYG115uXHF1DZoIt91As uLIWp9aZXVjRvSe3t40nyplqj1tyRT/d228wEtufpLYzy/tVHcCh6LhJUqgtMeQIX0nq L9XvnyDqybZ5jd+xJP2Hjj6QPcq7+W4bgHafFcz005ska//Sfub1o8xL1zwlLesULjNW hMBCL/1qL0XMpVNvSE/DHQKoxfwnt122zJQqX6KqciUKhmGtFY0l2gzKO5NGG6lqGJG7 6KNEmtotd9XF5AvmX5LCvglcg9LmdH1aszVQR3OeOYb5yuaoaRFByG/xMmjoABXAQYD8 Pr7w==
X-Gm-Message-State: APt69E1hHVlhOrNZICMgxOMwipUK3rv71bKTmRNzWeHHCnM56s3R98k+ Zl8md+js4Hf1lUjYwOGjLeOoQ34r4nnfXIMKs8ThCw==
X-Google-Smtp-Source: ADUXVKKhkcW6CkPv5vQVfQdwQnUnisSIeuDg86cweX959axO+am1Kbps/G/imX0USKa9NHVqkX56WnPe1MdpY1eXs5U=
X-Received: by 2002:a19:be52:: with SMTP id o79-v6mr2620913lff.108.1529808200269; Sat, 23 Jun 2018 19:43:20 -0700 (PDT)
Received: from unknown named unknown by with HTTPREST; Sat, 23 Jun 2018 19:43:19 -0700
From: Joe Abley <>
Mime-Version: 1.0 (1.0)
References: <> <> <> <>
In-Reply-To: <>
Date: Sat, 23 Jun 2018 19:43:19 -0700
Message-ID: <>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <>
Subject: Re: [DNSOP] abandoning ANAME and standardizing CNAME at apex
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 24 Jun 2018 02:43:26 -0000

Hi Victor,

On Jun 23, 2018, at 17:04, Viktor Dukhovni <> wrote:

> [...]
> Yes, but if they have the NSEC bitmap, they can follow the XNAME
> without asking again.
> [...]
> That's already handled by NSEC/NSEC3.

I think a pragmatic solution needs to work in unsigned zones.

The demand for this kind of functionality is from the same customers
who are relying upon non-standard response tricks from enterprise DNS
providers as part of wider requirements for things like geo-steering
and site failover.

Many of those enterprise DNS providers don't support those tricks in
signed zones (in part, no doubt, because doing so would be complicated
and there has not been significant demand for it, by which I mean
customers willing to pay more for it).

If an XNAME proposal was to solve real-world problems for these people
it would need to work with or without DNSSEC.

(And I wasn't entirely serious about calling the wildcard RRTYPE * :-)