Re: [DNSOP] abandoning ANAME and standardizing CNAME at apex

Joe Abley <> Sun, 24 June 2018 03:06 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E81AA1294D0 for <>; Sat, 23 Jun 2018 20:06:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id vjJu4zXci9_X for <>; Sat, 23 Jun 2018 20:06:06 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4010:c07::243]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 28DA6129385 for <>; Sat, 23 Jun 2018 20:06:06 -0700 (PDT)
Received: by with SMTP id d24-v6so11886199lfa.8 for <>; Sat, 23 Jun 2018 20:06:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=from:mime-version:references:in-reply-to:date:message-id:subject:to :cc; bh=Fd8ZWI5o2PLAPcrHh1wABtQsnZr7Qm6WwNCijKXIQC0=; b=ZQXvm4ReVGRvBRqQ5bVzZ7zaLDlgHVbnohSMj5+ScrNgDCW1tT2FpCL147J1PgBewd J6YSX4iQLB2xhysZN5AHZt7/R42xXwnhzv08MneJLC7OzL+DF74qs16YMyu+h8xOB6SF P0V4gYkAPCzeNFDNk56+QDAyxD/VtlicT0u7M=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:from:mime-version:references:in-reply-to:date :message-id:subject:to:cc; bh=Fd8ZWI5o2PLAPcrHh1wABtQsnZr7Qm6WwNCijKXIQC0=; b=I5c/q+EaoWt8A270pzB81JP7I5r4iVJvYA/prRqsgxH6Njh3Thv96Awwep8eHiw9FO oJwaCGhItVgPN8G0RhV3SO9fhCnWBzO6/W3zRZMijCBOsZJm9HSSIp7DSAK1PXPWggyV xQCl9iH4acrdR7cq8cpy//OR4haxumiH/imA7mQrWRJWySnqaqINdLzwmuwYWSAHCEuA Hi8n+jrmEoU+SsdwlPtRJHlNUTYqtkAQ3MJE3YtYR4dUjcSjmVyyBdc2GxtYIV7lEI2P vPSOeeAfaiNb28pRU8HRhYF2Kedko15qiYzyq7Jxag0yOzSV1Bhp9FuDrmF/+JUe9eAK F1Kg==
X-Gm-Message-State: APt69E1DosFSD/zKNQtmgH15aPrz2Z5cqhvdtsmgikQNbk6sLsFNZRf7 zI9eErlLvwpCdEaBw/odiv+0BEKXWKP1ZA/H1Ss8CA==
X-Google-Smtp-Source: ADUXVKL/D4JZ7ux40coiVE+IuWlzCzEjceYyX4X8Se6pNZAxmP/KB8ZXFg3/NQdPI4e1PHD0Epj4SdOGGDTIW2a9sG4=
X-Received: by 2002:a19:c004:: with SMTP id q4-v6mr2629842lff.16.1529809564378; Sat, 23 Jun 2018 20:06:04 -0700 (PDT)
Received: from unknown named unknown by with HTTPREST; Sat, 23 Jun 2018 20:06:03 -0700
From: Joe Abley <>
Mime-Version: 1.0 (1.0)
References: <> <> <> <> <> <>
In-Reply-To: <>
Date: Sat, 23 Jun 2018 20:06:03 -0700
Message-ID: <>
To: Paul Vixie <>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <>
Subject: Re: [DNSOP] abandoning ANAME and standardizing CNAME at apex
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 24 Jun 2018 03:06:09 -0000

On Jun 23, 2018, at 22:45, Paul Vixie <> wrote:

> Joe Abley wrote:
>> I think a pragmatic solution needs to work in unsigned zones.
>> ...
> can someone ask the IAB to rule on whether any new internet technology standard should address unsigned DNS zones, or for that matter, IPv4 networks?
> "let's move on."

I agree with the sentiment, but in practical terms in 2018 I think
this is just a recipe for more DNS extensions without standardisation,
which will not help customers who want diversity in providers or who
want to be able to switch providers easily.

To the example at hand, enterprise DNS providers have already
implemented XNAME-like functionality in unsigned zones and and are
selling it. If they can't easily support a standardised mechanism,
they're going to carry on selling what they have.

These response-time tricks that need response-time signing or
pre-computation of signatures across a full set of possible responses
are used by a lot of high-traffic zones and there's significant money
and competition all around it. I don't think that ecosystem is highly
motivated by the opinions of the IAB, and so the pragmatic result of
such a (perfectly reasonable and architecturally progressive)
statement would be to hamstring the working group, not to make the
deployed system better.

If there was a visible horizon where DNSSEC was in widespread demand
and a zone being unsigned was unusual, I would think differently.