Re: [DNSOP] abandoning ANAME and standardizing CNAME at apex

Mukund Sivaraman <muks@mukund.org> Wed, 19 September 2018 08:20 UTC

Return-Path: <muks@mukund.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4484B130FBD for <dnsop@ietfa.amsl.com>; Wed, 19 Sep 2018 01:20:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1H4UlT3Qcg-j for <dnsop@ietfa.amsl.com>; Wed, 19 Sep 2018 01:20:02 -0700 (PDT)
Received: from mail.banu.com (mail.banu.com [46.4.129.225]) by ietfa.amsl.com (Postfix) with ESMTP id B8C2C130FB2 for <dnsop@ietf.org>; Wed, 19 Sep 2018 01:20:01 -0700 (PDT)
Received: from jurassic (unknown [27.5.233.96]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.banu.com (Postfix) with ESMTPSA id 39A4332C0A26; Wed, 19 Sep 2018 08:19:58 +0000 (UTC)
Date: Wed, 19 Sep 2018 13:49:54 +0530
From: Mukund Sivaraman <muks@mukund.org>
To: Petr =?utf-8?B?xaBwYcSNZWs=?= <petr.spacek@nic.cz>
Cc: dnsop@ietf.org
Message-ID: <20180919081954.GC13027@jurassic>
References: <201809182002.w8IK2hCr011294@atl4mhob04.registeredsite.com> <b412d84f-df37-e416-63f7-2424ab1f68cb@nic.cz> <20180919073147.GA13027@jurassic> <a20845aa-3161-941d-55a2-d0b27731a879@nic.cz>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <a20845aa-3161-941d-55a2-d0b27731a879@nic.cz>
User-Agent: Mutt/1.9.2 (2017-12-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/nEAxV1ZytvsmB2zIsdbjPkU57P8>
Subject: Re: [DNSOP] abandoning ANAME and standardizing CNAME at apex
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Sep 2018 08:20:09 -0000

On Wed, Sep 19, 2018 at 09:48:18AM +0200, Petr Špaček wrote:
> 
> 
> On 19/09/2018 09:31, Mukund Sivaraman wrote:
> > On Wed, Sep 19, 2018 at 09:05:21AM +0200, Petr Špaček wrote:
> >> On 18/09/2018 22:02, JW wrote:
> >>>
> >>> -------- Original message --------
> >>> From: Mark Andrews <marka@isc.org>;
> >>>
> >>>> I would also expect a relatively large client population using SRV records
> >>>> given the rate Firefox and Chrome browsers are upgraded.  SRV lookups
> >>>> work for lots ofother protocols.  SRV records also make it through
> >>>> firewalls and IDS today.
> >>>>
> >>>
> >>> Hi Mark,
> >>>
> >>> I agree SRV is the obvious choice for a greenfield protocol but there is
> >>> HTTP code sprinkled /everywhere/.  I can't imagine all those forgotten
> >>> scripts, lonely IOT devices, and troubleshooting guides are going to be
> >>> as easy to solve as updating chrome and firefox.
> >>>
> >>> Whatever the solution, I feel it should be as transparent to the client
> >>> as possible.  CNAME would fit this bill but the negative impact is
> >>> largely unknown.
> >>
> >> TL;DR: Experiments with CNAME @ apex showed that it is not going to work
> >> if the domain has e.g. MX records for e-mail.
> >>
> >> Ondrej Sury describes his experimental results in presentation here:
> >> https://github.com/IETF-Hackathon/ietf102-project-presentations/blob/master/dns_hackathon-presentation.pdf
> > 
> > Aren't these results with current state of implementations? A cached
> > CNAME is expected to be matched against future type queries when
> > following RFC 1034/1035 behavior.
> > 
> > A change in behavior where resolvers expect that CNAME (as a fallback
> > type) will co-exist with other types will work properly.
> 
> Well, I started this thread because I naively thought that we can get
> away with *current* behavior which kind of works because of various
> non-standard workarounds. Experiment above proved me wrong so this seems
> like dead-end to me - it will have similar upgrade problem as any other
> new mechanism.

That's fair, but it would have lower implementation complexity which is
my concern. I much prefer SRV (that Mark's been pushing for several
years now) that is simpler and elegant.

A relaxed fallback-CNAME resolver implementation would not break the
DNS, so IMO that proposal should still be carried through so some X
years later most deployed resolvers will be capable of handling it.

		Mukund