Re: [DNSOP] Fundamental ANAME problems

Ray Bellis <> Sun, 04 November 2018 13:19 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 762BB127332 for <>; Sun, 4 Nov 2018 05:19:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id XI1D6cirkOOc for <>; Sun, 4 Nov 2018 05:19:40 -0800 (PST)
Received: from ( []) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id C21291200D7 for <>; Sun, 4 Nov 2018 05:19:40 -0800 (PST)
Received: from ([]:51600 helo=Rays-MacBook-Pro.local) by ([]:465) with esmtpsa ( (TLS1.0:RSA_AES_128_CBC_SHA1:16) id 1gJIJV-0003AP-73 (Exim 4.72) for (return-path <>); Sun, 04 Nov 2018 13:19:37 +0000
References: <> <> <>
From: Ray Bellis <>
Message-ID: <>
Date: Sun, 04 Nov 2018 20:19:35 +0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:60.0) Gecko/20100101 Thunderbird/60.3.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-GB
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [DNSOP] Fundamental ANAME problems
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 04 Nov 2018 13:19:42 -0000

On 04/11/2018 18:16, Brian Dickson wrote:

> Is the apex thing an optimization only (i.e. is it acceptable that
> the mechanism for apex detection not be 100% effective)? I think
> that's the input needed before it makes sense to go down any
> particular branch of design work, by either the http folks or the dns
> folks.

It's not a question of apex *detection*, it's that DNS simply doesn't
allow for the *provisioning* of a CNAME record at the apex.

Nor can you put a CNAME alongside any other "useful" DNS records, so you 
can't, for example, have a zone that looks like this:

@                IN SOA   ...
                  IN NS    ...
company-division IN MX    <company mail system>
company-division IN CNAME <cdn web host>

[I should perhaps put that as an example in the draft]

> Is knowing when something is (or is at least expected to be) the
> apex, one of the fundamental drivers on this issue?

No, the mechanism is general purpose and could be used for any
domain name that requires redirection (at the DNS / hostname level) to a
hostname that does not match the domain name in the URI.

[snipping irrelvant stuff about effective TLD lists]

> Related, follow-on question: If that new record type were pointing to
> the owner name (i.e. itself), or otherwise signaled that an A/AAAA at
> the owner name should be used, would having the authority server
> return the A/AAAA records as well fix the multiple-lookups issue,
> i.e. not require the lookup of the A/AAAA records if the new record
> type was not present?

Although it's not documented as such yet (and I should, because it's an
important clarifaction) an HTTP record that points to itself would be an
error, in the same way that a CNAME loop would be.

Architecturally, the important part of my proposal is that resolution of
the A and AAAA records is done *at the recursive layer* of the DNS, with
no interference with how authoritative resolution works.

[the only exception is if EDNS Client Subnet is in use, but that's a
case where the authoritatives already know how to generate the right
answer for any particular subnet]

> [snippage]

> I anticipate both the new record type and additional processing,
> would be less problematic on authority operators than ANAME.

The new record type has *no* implications at all for authority operators
other than in their provision systems, and since it uses the same RDATA
format as a PTR or CNAME record the implications there should be minimal.

> It adds more additional processing, but does not change the general 
> model of mostly-static zone data, which plays nice with DNSSEC.

There's *no* additional processing done in authoritatives.  I suppose
theoretically if the target happens to be on the same server as the
owner name than an authority might also include the A and AAAA records,
but it's not specified that way at the moment.
> For the recursives, the incremental change is the same additional 
> processing as authority servers (additional data if empty/self-ref, 
> possibly with extra queries, or CNAME-type processing.)

Roughly, except per above, this is the *only* incremental change in the
DNS infrastructure.   The other necessary change is in the HTTP clients
themselves, which IMHO is how it should be.

> Also: would this new record type (and query/response logic) make
> sense to use everywhere, not just at a zone apex?

Yes, per above.

> I think there would be nothing implicitly difficult in making it
> universal, on both the authority and recursive servers. For the
> recursive servers, I don't think they even have the ability to
> distinguish whether a name is apex or not (!!). For authorities, I
> don't think there's anything intrinsically apex-ish about what is
> required, so it would probably be less work to support the new record
> type anywhere.

It's not apex specific at all, but its design is specifically intended 
to address the CNAME at the apex issue.

kind regards,