Re: [DNSOP] Fundamental ANAME problems

Dan York <york@isoc.org> Tue, 06 November 2018 15:56 UTC

Return-Path: <york@isoc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BDD6312D4EB for <dnsop@ietfa.amsl.com>; Tue, 6 Nov 2018 07:56:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isoc.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AImH8yPYBYdm for <dnsop@ietfa.amsl.com>; Tue, 6 Nov 2018 07:56:26 -0800 (PST)
Received: from NAM02-BL2-obe.outbound.protection.outlook.com (mail-bl2nam02on062d.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe46::62d]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 66E8212426A for <dnsop@ietf.org>; Tue, 6 Nov 2018 07:56:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isoc.org; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=88uXZg0/JiNJPK732PE1Vpp4+XjtkHz1pagG5LZO1gg=; b=L00ix0p/WIG9LuQ57jyOKCLJ/P/oIZ3CtpP5Y5G9JeQCiMxGYse9eKc7eEUqjMfl6LmuE+ad8esKFZ7QatMRFn87swZmR4x5TP72yHEJc2lQhLZSYhERHlzZel8Uk6MVIABLILn49Oo3j7f6UESUz5nHNcol3erb5XDzqr8gRjA=
Received: from BN3PR0601MB1314.namprd06.prod.outlook.com (10.161.210.139) by BN3PR0601MB1138.namprd06.prod.outlook.com (10.160.157.151) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1294.21; Tue, 6 Nov 2018 15:56:23 +0000
Received: from BN3PR0601MB1314.namprd06.prod.outlook.com ([fe80::6ddc:e11:56b8:b6ba]) by BN3PR0601MB1314.namprd06.prod.outlook.com ([fe80::6ddc:e11:56b8:b6ba%9]) with mapi id 15.20.1294.034; Tue, 6 Nov 2018 15:56:22 +0000
From: Dan York <york@isoc.org>
To: Olli Vanhoja <olli@zeit.co>
CC: "dnsop@ietf.org" <dnsop@ietf.org>
Thread-Topic: [DNSOP] Fundamental ANAME problems
Thread-Index: AQHUcjMbISkZgf9GuEewb6XmP1KpcqU83bOAgAGN8QCAAAgCAIAArT8AgAAVvwCAAEjxAIAAGVcAgALWmgCAAH6ZgA==
Date: Tue, 6 Nov 2018 15:56:22 +0000
Message-ID: <AB45F69E-A3CD-4381-B146-AC5393C4EC38@isoc.org>
References: <CAH1iCirXYsYB3sAo8f1Jy-q4meLmQAPSFO-7x5idDufdT_unXQ@mail.gmail.com> <CA+nkc8C6yVT62cW5QP-ec2ZT7FY_n48Ecr=CLeE6FS_1duBO8g@mail.gmail.com> <CAJhMdTOwU88BkukodL_zXcK1=JenExX4HL46Zzbw=+btLbDG2A@mail.gmail.com> <20181103193258.GE20885@besserwisser.org> <3E93AE5D-C8AC-496E-85DB-57E6F8E92DF5@frobbit.se> <00158263-85dd-69ce-5299-13ff4c2411c5@bellis.me.uk> <DCBDB76E-E9E8-4FAE-9EF4-56EABFFA9AD1@frobbit.se> <17c409ef-207a-2e53-3496-d98727ecb71d@bellis.me.uk> <CABrJZ5EWGZcxhxf+VxuRsS+b7eX8cYsLGrHOrVzk_qmoFDKh7A@mail.gmail.com>
In-Reply-To: <CABrJZ5EWGZcxhxf+VxuRsS+b7eX8cYsLGrHOrVzk_qmoFDKh7A@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=york@isoc.org;
x-originating-ip: [2001:67c:1232:144:b924:5013:ece0:c3f9]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BN3PR0601MB1138; 6:vVwsCsdnT+L/qhoFh90Q6B8LZZXJZfjigOGR/Rmj7l1GyL6coy0eIFfK1zm9KGd6K59CT4ab2IGt6niGv2irUX9ZqbBW7DtlYokj4ww5we6lFAiIga+mdXfUzO33NrBvrczn4N0skSCPLE5mmR3/+c7cHUdkx8k63h37urOjNe26p2tLbZYU1HG4U0k2LCNYcYs/yAlcCMooYjsEl+Fcl3/NcwOJwevg8vUNMHd3L8JpIAZfNeV+0bK8dTwPAxKspTYNS5SQkLmFBXH66SlJeBSXXcRXy/dMBTWn8/OblTUbOXUlXTZMcov4FhZc55kXWdYWrSrcjTh+Hzy/FJGKqaT/gweWyIJAlkdeLdubmGJdQxsfqitZ3sIo6bLKVHX7mKnk0oBb5rkDplu37GhiAl9TNsWHq1p1l0rMS+dcocCOELn6zzf926vJ7kKvknRY1WW2i39ZGur+7Vhj8S0h0g==; 5:rDjkVNrBo421MDN3ppYrCrbrk8Dn22Q0I3y3j4Z6ujunmiP4WiELrfNwoDaa5/HTLNl6jc4DLy4udl6rZ+HGiQQHqm/YobBoYlILxFRtTucdYl4DT4Depvs3sXRnOTaPNbus7yU9jDlTFmkzIKhLCP6BFMHilHZQ4g1s71pATQo=; 7:Z90ezd5AqxmAmL0mDhZrgmiwsgKzIkRcqiu90/ibsVPZJ/88TUE0fMrI/0/STyH7gbyiQV5LIEvEr7U9YBmBHmPapuVOFcc2OLHQ06fnPZuTWtdCfT2ugr+AGxNdNrPLYVxDu68/OA14Oi8SaAsElw==
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: bff4e111-c5d7-463d-b250-08d64400664a
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600074)(711020)(2017052603328)(7153060)(49563074)(7193020); SRVR:BN3PR0601MB1138;
x-ms-traffictypediagnostic: BN3PR0601MB1138:
x-microsoft-antispam-prvs: <BN3PR0601MB113810A83E2685967857068FB7CB0@BN3PR0601MB1138.namprd06.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(120809045254105)(31418570063057);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(102415395)(6040522)(2401047)(5005006)(8121501046)(3231382)(944501410)(4983020)(4982022)(52105095)(10201501046)(93006095)(93001095)(3002001)(148016)(149066)(150057)(6041310)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(20161123558120)(20161123562045)(20161123564045)(201708071742011)(7699051)(76991095); SRVR:BN3PR0601MB1138; BCL:0; PCL:0; RULEID:; SRVR:BN3PR0601MB1138;
x-forefront-prvs: 0848C1A6AA
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39850400004)(396003)(366004)(136003)(376002)(346002)(199004)(189003)(83716004)(82746002)(53936002)(6916009)(316002)(25786009)(53376002)(229853002)(71200400001)(71190400001)(106356001)(105586002)(5660300001)(54896002)(68736007)(8936002)(36756003)(236005)(33656002)(6306002)(4326008)(99286004)(478600001)(6246003)(606006)(7736002)(53546011)(76176011)(966005)(6486002)(14454004)(256004)(6512007)(486006)(476003)(2616005)(86362001)(102836004)(46003)(99936001)(6506007)(93886005)(11346002)(446003)(97736004)(8676002)(186003)(2906002)(2900100001)(81166006)(6436002)(81156014)(6116002); DIR:OUT; SFP:1101; SCL:1; SRVR:BN3PR0601MB1138; H:BN3PR0601MB1314.namprd06.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: isoc.org does not designate permitted sender hosts)
x-microsoft-antispam-message-info: aUfnYKdUGgBO8eYEWlk6V4CyeZjo09mvY/c+O8vdgSBoElE7k6O0oLaKYDBLpHNW/wRWpg0NJ3ugd9xwWYZUickIcr5VOS2mbAQ6Ktvs/EzBeKpnNPFSPDZfA2wQHH4t0fcvUkYop2xZDoHkySEsHhcdXYrWwTTRHmN0a5jSXkvZFYCZmqqOJOg/7jveYtdr34eOb6KkLXRp55+WrZVNXaR48BKWUCISZOrYrG1Ic/v+8hgSXb5EALpmEwvt8Kn63fBN+h9GVc2usPJtRz6spjPB9Oz5dSBrzeJqb+PV1gaY1QZdDVIBYqO11vgECrE7nNza6D/Z0FSr34vGKtle9ZE5PivPknja7xbdF6USUG0=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/signed; boundary="Apple-Mail=_06CF9302-27E6-4CC9-B596-BEE156216A55"; protocol="application/pkcs7-signature"; micalg=sha1
MIME-Version: 1.0
X-OriginatorOrg: isoc.org
X-MS-Exchange-CrossTenant-Network-Message-Id: bff4e111-c5d7-463d-b250-08d64400664a
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Nov 2018 15:56:22.5553 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 89f84dfb-7285-4810-bc4d-8b9b5794554f
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN3PR0601MB1138
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/zmgRPPDG8tgAEcKzq6Sla040tI8>
Subject: Re: [DNSOP] Fundamental ANAME problems
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Nov 2018 15:56:30 -0000

Olli,

> On Nov 6, 2018, at 3:23 PM, Olli Vanhoja <olli@zeit.co>; wrote:
> 
> In fact if you look at the DNS records some big Internet companies
> they rarely use CNAMEs for www but instead you'll see an A record, that might
> be even backed by a proprietary ANAME solution.

One detail about this is that if the CDN being used by the large Internet company is *also* providing the DNS hosting for the Internet company, then the CDN will do its resolution internally and return A / AAAA records directly. 

I did not do the kind of large scale measurement that Thomas Peterson did, but in anecdotally looking at the www records for a number of sites returning A/AAAA records, I often saw that the ones returning A / AAAA records also had NS records pointing to name servers run by CDNs I could recognize.  (I mentioned this in a note currently as section 2.1 of https://datatracker.ietf.org/doc/draft-york-dnsop-cname-at-apex-publisher-view/ <https://datatracker.ietf.org/doc/draft-york-dnsop-cname-at-apex-publisher-view/>  )

So yes, in those cases the A record is being dynamically created by whatever (potentially proprietary) ANAME/CNAME-like solution the CDN vendor is using internally in their DNS hosting operations. 

Dan

--
Dan York
Director, Content & Web Strategy, Internet Society
york@isoc.org   +1-802-735-1624 
Jabber: york@jabber.isoc.org  Skype: danyork   http://twitter.com/danyork

http://www.internetsociety.org/