Re: [DNSOP] abandoning ANAME and standardizing CNAME at apex

Tony Finch <> Fri, 22 June 2018 20:08 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 879C6130EE7 for <>; Fri, 22 Jun 2018 13:08:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 1Rlr76rcE8IL for <>; Fri, 22 Jun 2018 13:08:07 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 6DE81130EE5 for <>; Fri, 22 Jun 2018 13:08:07 -0700 (PDT)
Received: from compute4.internal (compute4.nyi.internal []) by mailout.nyi.internal (Postfix) with ESMTP id C1AFC21C1D; Fri, 22 Jun 2018 16:08:06 -0400 (EDT)
Received: from mailfrontend1 ([]) by compute4.internal (MEProxy); Fri, 22 Jun 2018 16:08:06 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; bh=QWb29Y //JhWdXtkAqyAGSdVcDzhEKh3SbkvJOwqTxrs=; b=vN8f2HHfN6co5MaLrVDNTk DIUtO9d5kmJdncyZ1eZFxj1sf3Q7j3xqpcy02UTDJgWZVT6NVGqvY7YQ/EC6LrrT LgyeWNb02BU1/hRFXskxXL50qxgW/Dx71xX5YiiNZdBFv9FADAmUITpSGkU+l3Pn ENhEjzczMkI4G8fgxfqC46iK8WQxmgJgrhk5iGefu02ypLdv5ZwhKOXY96d3Wpjm tMyFCf9Cet/UNKTAt9TQcWndYpc1HBW9PISUV5uu2RsxPyil4+oYA/agq3Y9akJ8 mBa+belq2Mu0EurbhrMH8fJ7ow3Nbf14h/HrD97BgWL+sEQi7ulwEy1aCm75JI8A ==
X-ME-Proxy: <xmx:JlctWzzOTMYbZwX1TAB5I54TgS0Kv1c_DISM5nx-ohZvP0Tw_2VTYg> <xmx:JlctW7etlsuQShQBb_PJlkN9T6Jx54GoErFe5_hUGGTgHo2KCltRDw> <xmx:JlctW_KpyA2NdWDOUX7YYnqqxctqmbbOzSmIK6NEF57pxU91xkp-Sw> <xmx:JlctW8FF_pctMzwYSsU494VjltX60GTNefROywFg-G3QaPlKcEQMLA> <xmx:JlctW5oEc3N4i6mNl38BENIP-FewrlBRZX5UoczbeUNxcYohviVafA> <xmx:JlctW2NHr6nGQs62xDAXqjZp9q8gjXq2brsTVxMfWwcHKeZ4DpPHcA>
X-ME-Sender: <xms:JlctW-dQAdZWyhiaQcPZD4KBEw5tv_m3F2C1dXISLvrgPYC8KaTP4g>
Received: from [] (unknown []) by (Postfix) with ESMTPA id 2F468E4329; Fri, 22 Jun 2018 16:08:06 -0400 (EDT)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (1.0)
From: Tony Finch <>
X-Mailer: iPhone Mail (15F79)
In-Reply-To: <>
Date: Fri, 22 Jun 2018 21:08:04 +0100
Cc:,, dnsop <>, Ray Bellis <>
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <> <> <> <> <> <> <> <20180622191334.GA15349@jurassic> <>
To: Warren Kumari <>
Archived-At: <>
Subject: Re: [DNSOP] abandoning ANAME and standardizing CNAME at apex
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 22 Jun 2018 20:08:10 -0000

The problem with SRV (and MX) is that you can’t tell what an empty additional section means. (By “you” I mean anything in the resolver chain: app, stub, recursor, etc.)

If the AAAA records are missing, does that mean there aren’t any? Does it mean they were not cached? Does it mean the server chose not to provide them for some other reason?

If you want to find out, you have to make a follow-up query to get a clear answer, so you have spent two round trips instead of one. And hopefully your recursive server omitted the AAAA because it has an ncache entry so you get a quick answer, but that’s unlikely if the auth server didn’t provide AAAA and the resolver didn’t eagerly go chasing (which they don’t) and you are an early adopter of SRV so no one else filled the ncache for you.

This can (in theory) be fixed with DNSSEC, but the additional section processing rules have to be changed so that they require the nonexistence proof when records are missing, and of course stubs and apps have to be changed to understand the NSEC(3) records.

Mail servers generally regard additional sections as too unreliable to be useful, and take the simpler slower approach of making all the queries explicitly. It works for them because they are not especially worried about latency.

Because of all this I can sympathize with browser authors to some extent; on the other hand, if they had adopted SRV before it was too late, we might have done more to fix these problems in the last 22 years. (eg an EDNS option to disambiguate missing additional records, maybe.)

f.anthony.n.finch  <>