Re: [DNSOP] abandoning ANAME and standardizing CNAME at apex

Joe Abley <> Tue, 19 June 2018 21:09 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6E66B130E09 for <>; Tue, 19 Jun 2018 14:09:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.997
X-Spam-Status: No, score=-0.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, RDNS_NONE=0.793, SPF_PASS=-0.001, T_DKIM_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: (amavisd-new); dkim=fail (1024-bit key) reason="fail (OpenSSL error: data too large for key size)"
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id HUKkZy9hW1_p for <>; Tue, 19 Jun 2018 14:09:13 -0700 (PDT)
Received: from (unknown [IPv6:2001:4900:1:392::156]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 739EE130F19 for <>; Tue, 19 Jun 2018 14:09:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=simple/simple; ; s=hopcount; h=To:References:Resent-To:Message-Id:Resent-Date:Cc:Date: Resent-From:In-Reply-To:From:Content-Type:Mime-Version:Subject:Sender: Reply-To:Content-Transfer-Encoding:Content-ID:Content-Description: Resent-Sender:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=Whj8yzlZ4BYtg+aCCmLkA9tCoOr0BAK11LFcHGzlD2M=; b=hRBzi4trY9B5/p7V6wOkU51LY2 fyLaxVfn7bu5Pxo/OFLvaaAAsxx90lulXUXWRHMyxJskDj6L2ftZaL/cQW0aPGWtGL7qirW9m8bKF NbFgTCwxSj9WsGwSmkYz4a7nMD6SXB63Y7S7IEASOAtmDi3MtI9iaTuq2w+8sS8vte7Vdv2No4QoR w1ypBt/EY+RTCvwUhj1hlxT4mPkJLelKqs85uMCjF+Jhk2t5B8KQuUmROQ/Z4CodXct0gIDYMSFrO Y8voqyIMDGa7WUuaya1TLJ2oRFDfEnr7GYe/mpeAVHbzDnhs2YYW/FmrYVmBZk7IwH6JuP6Corw6X IKmJR4hw==;
Received: from [] (helo=[]) by with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1 (FreeBSD)) (envelope-from <>) id 1fVNsG-00070k-HT for; Tue, 19 Jun 2018 21:09:12 +0000
Mime-Version: 1.0 (Mac OS X Mail 11.4 \(3445.8.2\))
Content-Type: multipart/signed; boundary="Apple-Mail=_2D529F24-D41E-4B18-AD31-86F4BE439F1B"; protocol="application/pgp-signature"; micalg=pgp-sha1
From: Joe Abley <>
In-Reply-To: <>
Resent-From: Joe Abley <>
Date: Tue, 19 Jun 2018 17:08:00 -0400
Cc: Tony Finch <>,
Resent-Date: Tue, 19 Jun 2018 17:09:11 -0400
Message-Id: <>
Resent-To: " WG" <>
References: <> <> <> <> <> <> <>
To: Ray Bellis <>
X-Mailer: Apple Mail (2.3445.8.2)
X-SA-Exim-Scanned: No (on; SAEximRunCond expanded to false
Resent-Message-Id: <>
Archived-At: <>
X-Mailman-Approved-At: Fri, 22 Jun 2018 05:57:28 -0700
Subject: Re: [DNSOP] abandoning ANAME and standardizing CNAME at apex
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 19 Jun 2018 21:09:15 -0000

On 19 Jun 2018, at 17:03, Ray Bellis <> wrote:

> On 19/06/2018 17:44, Tony Finch wrote:
>> SRV should have been part of the fix (and it was invented early
>> enough to be!) but it wasn't a complete fix without support from the
>> application protocols.
> AIUI, a large part of the supposed issue with SRV was the inertia of the
> installed base of browsers that wouldn't know how to access them.
> Ironically the proposed fix seems to require upgrades to the
> installed base of one of the most important network infrastructure
> services on the planet.
> Meanwhile, a very large portion of the installed base of web browsers
> gets automatically and silently upgraded every month or so...

I think so long as there's a fallback for clients that don't yet have SRV implemented (e.g. publish A/AAAA RRSets at the same owner name as the SRV RRSet, and specify the behaviour by SRV-compliant servers in the event that both are present) this is not a plausible engineering argument.

Processing an SRV might require additional DNS lookups to get name -> SRV -> SRV target -> address, but that's a one-time hit per TTL and I think it's a stretch to paint that as definitely a problem. Modelling is required and worst cases remain to be understood.

If there are definitive problems it would be good to hear what they are. It has always sounded to me like the problem is "this is not how we did things before". Perhaps the cost of change is not actually in the client, but in the provisioning/client education/product packaging across all web and hosting services?