Re: [DNSOP] Minimum viable ANAME

Tony Finch <> Fri, 21 September 2018 11:03 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id EF7D3130E89 for <>; Fri, 21 Sep 2018 04:03:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id my2pp46mzWck for <>; Fri, 21 Sep 2018 04:03:16 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id AF5CD130EEE for <>; Fri, 21 Sep 2018 04:03:16 -0700 (PDT)
X-Cam-AntiVirus: no malware found
Received: from ([]:48896) by ( []:25) with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) id 1g3JDN-0011Y6-19 (Exim 4.91) (return-path <>); Fri, 21 Sep 2018 12:03:13 +0100
Date: Fri, 21 Sep 2018 12:03:13 +0100
From: Tony Finch <>
To: =?UTF-8?B?56We5piO6YGU5ZOJ?= <>
cc: dnsop <>
In-Reply-To: <>
Message-ID: <>
References: <> <>
User-Agent: Alpine 2.20 (DEB 67 2015-01-07)
MIME-Version: 1.0
Content-Type: multipart/mixed; BOUNDARY="1870870841-558780850-1537527793=:3596"
Archived-At: <>
Subject: Re: [DNSOP] Minimum viable ANAME
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 21 Sep 2018 11:03:25 -0000

神明達哉 <> wrote:
> I'm not sure how we can expect this model to deploy in practice.  With
> this model, the zone admin will need to develop an additional script
> or something integrated into whatever the provisioning framework they
> are using.  Is that the assumption?

I would like it to be integrated into the DNS server, like automatic
DNSSEC signing. But you can implement it as a bag on the side and lots of
places have already done that. (I have a half-arsed implementation which I
desperately want to replace with something better.)

> Perhaps primary server implementations may eventually have some level
> of support that makes this provisioning much less painful (in a way
> other than performing on-demand resolution).  If and when many popular
> implementations do it in a convenient way (at least as convenient as
> the proprietary alternatives), we may hope the new model with ANAME
> optimization will start to deploy, eventually with wider deployment of
> the optimization part as more resolvers support it.

It doesn't have to be sequential like that: the additional section
processing on auth and rec servers, and resolver ANAME optimization won't
cause any interop problems, so they can be deployed whenever the code is
ready and they'll have a useful effect when they encounter an ANAME

f.anthony.n.finch  <>
Rockall, Malin, Hebrides, Bailey: Northwest 5 to 7, occasionally gale 8 except
in Rockall, decreasing 4 later. Rough or very rough, becoming moderate or
rough except in Bailey. Showers. Moderate or good.