Re: [DNSOP] new ANAME draft: draft-hunt-dnsop-aname-00.txt

Florian Weimer <fweimer@redhat.com> Mon, 10 April 2017 09:29 UTC

DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 1DE1A80461
To: Evan Hunt <each@isc.org>, dnsop@ietf.org
References: <20170407181139.GB66383@isc.org>
From: Florian Weimer <fweimer@redhat.com>
Message-ID: <cc3bbc7a-3f48-2f7f-a3d9-3f752874fc00@redhat.com>
Date: Mon, 10 Apr 2017 11:29:50 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <20170407181139.GB66383@isc.org>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/vNWfiwnZhTRBa8SnOyfwUKfzoHI>
Subject: Re: [DNSOP] new ANAME draft: draft-hunt-dnsop-aname-00.txt
Precedence: list

On 04/07/2017 08:11 PM, Evan Hunt wrote:
> Title:		Address-specific DNS Name Redirection (ANAME)

I think the introduction should discuss why it is not possible to push 
the CNAME to the parent zone, replacing the entire zone with an alias.

Section 3 is currently written in such a way that a recursive DNS lookup 
must be performed at the authoritative server side.  I don't think it is 
necessary to require that.  A recursive DNS lookup of the target is just 
one way to implement this.

In particular, the suggested recursive DNS lookup needs some form of 
distributed loop detection.  Otherwise, a malicious customer could 
publish two zones with ANAME records and achieve significant traffic 
amplification, potentially taking down the DNS hoster.  A hop count in 
an EDNS option or an “ANAME lookup in progress” indicator would be one 
way to implement this.  Another approach would impose restrictions on 
the owner name of an ANAME record and its target, and restrict where 
CNAMEs can appear, so that a valid ANAME can never point to another 
valid ANAME.

Thanks,
Florian

Re: [DNSOP] new ANAME draft: draft-hunt-dnsop-ana… Evan Hunt
Re: [DNSOP] new ANAME draft: draft-hunt-dnsop-ana… Paul Wouters
Re: [DNSOP] new ANAME draft: draft-hunt-dnsop-ana… Richard Gibson
Re: [DNSOP] new ANAME draft: draft-hunt-dnsop-ana… John Levine
Re: [DNSOP] new ANAME draft: draft-hunt-dnsop-ana… Paul Wouters
Re: [DNSOP] new ANAME draft: draft-hunt-dnsop-ana… Richard Gibson
Re: [DNSOP] new ANAME draft: draft-hunt-dnsop-ana… Peter van Dijk
Re: [DNSOP] new ANAME draft: draft-hunt-dnsop-ana… Peter van Dijk
Re: [DNSOP] new ANAME draft: draft-hunt-dnsop-ana… Ray Bellis
Re: [DNSOP] new ANAME draft: draft-hunt-dnsop-ana… Peter van Dijk
Re: [DNSOP] new ANAME draft: draft-hunt-dnsop-ana… Ray Bellis
Re: [DNSOP] new ANAME draft: draft-hunt-dnsop-ana… Florian Weimer
Re: [DNSOP] new ANAME draft: draft-hunt-dnsop-ana… Jan Včelák
Re: [DNSOP] new ANAME draft: draft-hunt-dnsop-ana… John Levine
Re: [DNSOP] new ANAME draft: draft-hunt-dnsop-ana… Evan Hunt
Re: [DNSOP] new ANAME draft: draft-hunt-dnsop-ana… Peter van Dijk
Re: [DNSOP] new ANAME draft: draft-hunt-dnsop-ana… Tony Finch
Re: [DNSOP] new ANAME draft: draft-hunt-dnsop-ana… Tony Finch
Re: [DNSOP] new ANAME draft: draft-hunt-dnsop-ana… Tony Finch
Re: [DNSOP] new ANAME draft: draft-hunt-dnsop-ana… Paul Wouters
Re: [DNSOP] new ANAME draft: draft-hunt-dnsop-ana… Florian Weimer
Re: [DNSOP] new ANAME draft: draft-hunt-dnsop-ana… Florian Weimer
Re: [DNSOP] new ANAME draft: draft-hunt-dnsop-ana… Tony Finch
Re: [DNSOP] new ANAME draft: draft-hunt-dnsop-ana… Paul Wouters
Re: [DNSOP] new ANAME draft: draft-hunt-dnsop-ana… Florian Weimer
Re: [DNSOP] new ANAME draft: draft-hunt-dnsop-ana… Florian Weimer
Re: [DNSOP] new ANAME draft: draft-hunt-dnsop-ana… Tony Finch
Re: [DNSOP] new ANAME draft: draft-hunt-dnsop-ana… Evan Hunt
Re: [DNSOP] new ANAME draft: draft-hunt-dnsop-ana… Tony Finch
Re: [DNSOP] new ANAME draft: draft-hunt-dnsop-ana… Mark Andrews
Re: [DNSOP] new ANAME draft: draft-hunt-dnsop-ana… Florian Weimer
Re: [DNSOP] new ANAME draft: draft-hunt-dnsop-ana… Evan Hunt
Re: [DNSOP] new ANAME draft: draft-hunt-dnsop-ana… Florian Weimer
Re: [DNSOP] new ANAME draft: draft-hunt-dnsop-ana… Evan Hunt
Re: [DNSOP] new ANAME draft: draft-hunt-dnsop-ana… Tony Finch
Re: [DNSOP] new ANAME draft: draft-hunt-dnsop-ana… Florian Weimer
Re: [DNSOP] new ANAME draft: draft-hunt-dnsop-ana… Tony Finch
Re: [DNSOP] new ANAME draft: draft-hunt-dnsop-ana… Peter van Dijk
Re: [DNSOP] new ANAME draft: draft-hunt-dnsop-ana… Peter van Dijk
Re: [DNSOP] new ANAME draft: draft-hunt-dnsop-ana… Peter van Dijk
Re: [DNSOP] new ANAME draft: draft-hunt-dnsop-ana… John Levine
Re: [DNSOP] new ANAME draft: draft-hunt-dnsop-ana… John Levine
Re: [DNSOP] new ANAME draft: draft-hunt-dnsop-ana… Tony Finch
Re: [DNSOP] new ANAME draft: draft-hunt-dnsop-ana… Peter van Dijk
Re: [DNSOP] new ANAME draft: draft-hunt-dnsop-ana… Paul Wouters
Re: [DNSOP] new ANAME draft: draft-hunt-dnsop-ana… Evan Hunt
Re: [DNSOP] new ANAME draft: draft-hunt-dnsop-ana… Florian Weimer
Re: [DNSOP] new ANAME draft: draft-hunt-dnsop-ana… 神明達哉
Re: [DNSOP] new ANAME draft: draft-hunt-dnsop-ana… Paul Wouters
Re: [DNSOP] new ANAME draft: draft-hunt-dnsop-ana… Evan Hunt
Re: [DNSOP] new ANAME draft: draft-hunt-dnsop-ana… Paul Wouters
Re: [DNSOP] new ANAME draft: draft-hunt-dnsop-ana… Tony Finch
Re: [DNSOP] new ANAME draft: draft-hunt-dnsop-ana… 神明達哉
Re: [DNSOP] new ANAME draft: draft-hunt-dnsop-ana… Florian Weimer
Re: [DNSOP] new ANAME draft: draft-hunt-dnsop-ana… Peter van Dijk
Re: [DNSOP] new ANAME draft: draft-hunt-dnsop-ana… Lanlan Pan
Re: [DNSOP] new ANAME draft: draft-hunt-dnsop-ana… Peter van Dijk
[DNSOP] new ANAME draft: draft-hunt-dnsop-aname-0… Evan Hunt
Re: [DNSOP] new ANAME draft: draft-hunt-dnsop-ana… Job Snijders
Re: [DNSOP] new ANAME draft: draft-hunt-dnsop-ana… Peter van Dijk
Re: [DNSOP] new ANAME draft: draft-hunt-dnsop-ana… Peter van Dijk
Re: [DNSOP] new ANAME draft: draft-hunt-dnsop-ana… 神明達哉