Re: [dnsext] SRV and wildcard CNAME

[Phillip Hallam-Baker <hallam@gmail.com>]

On Sun, Feb 20, 2011 at 7:56 PM, Masataka Ohta <
mohta@necom830.hpcl.titech.ac.jp> wrote:

> Larry Brower wrote:
>
> > I disagree, I say you are wasting it. Mark told you why it was a bad
> > idea and you just want to argue the point.
>
> It was already argued before Mark's first response:
>
> > Non existent protocols are not a problem, because they just do
> > not work, which is fine.
> > The problem is that protocols used share a port.
> > However, as the only protocol which may be used by *LAZY* users,
> > other than http, is https, it may share the same port as http,
> > if servers are implemented to distinguish them by the first
> > byte of the request.
>
> and, again, just after Mark's first response:
>
> > When the protocols used at the domain are http and https only,
> > nothing break.
>
> Protocols not used at a domain can not break at the domain,
> because they are not used.
>
> But Mark *REPEATED* his unfounded statement, which is
> the waste of bandwidth.


Mark is quite correct here.

I have been looking at this problem for five years now and I can assure you
that if Mark was wrong, I would know it.


The fundamental limitation here is that prefix records can only be applied
to canonical names. They do not give the desired results if either wildcards
or aliases are used.

Consider the following:

*.example.com   SRV 1 1 80 host1.example.com

Any attempt to resolve any service in example.com  will succeed whether or
not the service is provided. In other words the domain is advertising
services it does not support, this is a failure for a discovery mechanism.


The following attempt to create an alias for example.net to example.com also
fails:

example.net  CNAME example.com
_http._tcp.example.com SRV 1 1 80 host1.example.com


These are problematic because wildcards and aliases are features we want in
the DNS and they should be supported by advanced discovery.

The mechanism that I hope to have ready for an ID next week adopts the
following approach

Phase 1: Domain Resolution

The query is made for an unprefixed record. This query will return one of
the following results:

1) Domain not found - game over
2) CNAME alias - maps to canonical name
3) Record returned saying 'use SRV, use URI, use TBD'

In the case of a wildcard, there is a need to specify the address at which a
prefix record is to be applied.


Phase 2: Service Resolution

If indicated by domain resolution, SRV or URI resolution is employed to
resolve the service to a host.


It is possible to save the principle of prefix resolution and make aliases
and wildcard work. But not by pretending that there is no issue to be
solved.

-- 
Website: http://hallambaker.com/

_______________________________________________
dnsext mailing list
dnsext@ietf.org
https://www.ietf.org/mailman/listinfo/dnsext