Re: [DNSOP] Minimum viable ANAME

Paul Wouters <paul@nohats.ca> Wed, 19 September 2018 23:27 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 63F7C130DC6 for <dnsop@ietfa.amsl.com>; Wed, 19 Sep 2018 16:27:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tD5_Al5mmVMj for <dnsop@ietfa.amsl.com>; Wed, 19 Sep 2018 16:27:42 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2A2B3124C04 for <dnsop@ietf.org>; Wed, 19 Sep 2018 16:27:42 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 42Fwy22xq2z4KY for <dnsop@ietf.org>; Thu, 20 Sep 2018 01:27:38 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1537399658; bh=ZlSkVloj6v27VHIjfKeZkZb0vA1Km7QGxjpCeMJQdH4=; h=Date:From:To:Subject:In-Reply-To:References; b=nX2Jj7pQYJfLFejpL+Gsd/gs/X93xCyaxr2c8nMkKWNt5YzMcjisPPBJX/c2YjMbD I+Kp+vGc9oEHhzaX+DDPyVceyYMYHtnY/Ve85nvKxRxI1zk4FiTRTRIboeFTtc3TQm AZgZY0GMIwzwQ/dcd8SpgQz2F0FkqkPv7l+wP9hE=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id myAyIeNzOWK3 for <dnsop@ietf.org>; Thu, 20 Sep 2018 01:27:35 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS for <dnsop@ietf.org>; Thu, 20 Sep 2018 01:27:34 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 97CE55602CE; Wed, 19 Sep 2018 19:27:33 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca 97CE55602CE
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 8B77D424DCE4 for <dnsop@ietf.org>; Wed, 19 Sep 2018 19:27:33 -0400 (EDT)
Date: Wed, 19 Sep 2018 19:27:33 -0400 (EDT)
From: Paul Wouters <paul@nohats.ca>
To: dnsop <dnsop@ietf.org>
In-Reply-To: <08C8A740-D09B-4577-AF2A-79225EDB526B@dotat.at>
Message-ID: <alpine.LRH.2.21.1809191921500.16965@bofh.nohats.ca>
References: <20180919201401.8E0C220051382A@ary.qy> <08C8A740-D09B-4577-AF2A-79225EDB526B@dotat.at>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8BIT
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/pKzZkTAnv3AytfpaOe9iTe0HJfQ>
Subject: Re: [DNSOP] Minimum viable ANAME
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Sep 2018 23:27:44 -0000

On Wed, 19 Sep 2018, Tony Finch wrote:

>> If I look up foo and it has an ANAME to bar, which of these do I get
>> back?
>
> ; ANSWER SECTION
> foo. A 1.2.3.4
>
> ; ADDITIONAL SECTION
> foo. ANAME bar.
> bar. A 1.2.3.4
>
> The model is that this is a replacement for manually copying address records, with added hints to resolvers that they might want to re-do the copying in order to get geo-optimized answers or other complicated tricks.

Exactly. And some dns server addonn can go look through the zone files
and find ANAME records, and do the query/updating via a cron job and
reload or something.

This is a simle solution that works.

> With this model, signing only happens where it currently happens.

Good. Although if you want to return bar's IP if it is different from
foo's IP and for resolvers that don't understand ANAME, you have to
synthesize these, but at least then it is nor worse then DNS64 with
respect to DNSSEC.

>> PS: I still think fixing apex CNAME is a better way to go.
>
> There are still DNS servers out there running on 1990s semantics, so I don’t think CNAME can be fixed any time soon - much of my practical annoyance comes from people asking for CNAME and MX and this combination is doom on a stick because it involves crazy MTA DNS message handlers, not just DNS servers. My guess at deployment timelines is:

I agree, CNAME is tainted.

Paul