Re: [lamps] DNS DNAME pain.

Phillip Hallam-Baker <> Thu, 09 November 2017 17:49 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1C9E31276AF for <>; Thu, 9 Nov 2017 09:49:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.399
X-Spam-Status: No, score=-2.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.199, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id g8KHO9jKKqX7 for <>; Thu, 9 Nov 2017 09:49:33 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4003:c06::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A37C31287A3 for <>; Thu, 9 Nov 2017 09:49:32 -0800 (PST)
Received: by with SMTP id v9so4977280oif.13 for <>; Thu, 09 Nov 2017 09:49:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=RL0IDv9T+MTdF4Ud3rhuJpgO5Y94/UP0uz+zW8+jjBw=; b=moqUGJGJV/mKpAVJ0tFvgzRMh4wTykXIXUYw9cgX/Z0yAy591tg5OglQxbrQdiOKYe 7tjwhEpOavOLo0EYSW1O7lNQixUXnpYu/LT79nRdDuA1XzGGUFCPSA3Kk6sLuSzJ2263 Yxrm/maceX7clE8gLUAYRKEL1nc786HlLyHW34jmOgw9VucMrwa0cvnmrbpTdWenlHBi J66tVwbLLiNN+wmJPcoOPaCb+guv20DQtppTsmdt9vyLbqOUBtAvfCda4WN+EYOQ7C0g exfIYwF91AYI2dsYxvHh+G+y+PkHqqkNORTqgMSMzA6qu5dfBSBjDVuTW6PvCLtkibqe 6Uxw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=RL0IDv9T+MTdF4Ud3rhuJpgO5Y94/UP0uz+zW8+jjBw=; b=lal+ldgKPMWly8DkQBKQKHayxX3q5PI6eSwX19O4WjEf5YYfaaMp94OcyZv+KqKKPv HFrYdF6xUOmQiN4RHkbOI9spYEyLOdpfXVM4XpyaofjOv43ngxRu846S7u8ovklvRMwb g/6u+gErZZP+eDMWo2+5wIW6tC7S6b3aFm/hxYN3cl7sB0IMR5MWsruVV4CpM54TbCoP /67g4DhQcOGPpsrxMnxoDofA9Rfs3pOAtzfQ7hVZteC3xgCbCUHKPPlQIyR6NGgS17Dq LvKdrXhl6+ilcErzrJ8BJK7vYnd4gjFvBEF1yu9umX1xMmo6d/tJl3bCGWj/z7nNbMAN 5t/g==
X-Gm-Message-State: AJaThX4dXEqmkCKMMiSYIvEFhU+85exB0x2XyuH+08EdVxG1UkMgny0B Vs7V9k2Zky2m7XB6U7Wes1+S00DEF9jmEfOPYOQ=
X-Google-Smtp-Source: AGs4zMYJSN1+fD79/HiBn9pfwgSICCuDCyIxNnFwfmwv1Nno8VRethC8TkT3x7BdMrqDtfROD/G1GtdY70+EhFRTXRM=
X-Received: by with SMTP id s145mr784326oih.220.1510249771921; Thu, 09 Nov 2017 09:49:31 -0800 (PST)
MIME-Version: 1.0
Received: by with HTTP; Thu, 9 Nov 2017 09:49:31 -0800 (PST)
In-Reply-To: <alpine.OSX.2.21.1711091150580.3682@ary.qy>
References: <> <20171109162941.3670.qmail@ary.lan> <> <alpine.OSX.2.21.1711091150580.3682@ary.qy>
From: Phillip Hallam-Baker <>
Date: Thu, 9 Nov 2017 12:49:31 -0500
X-Google-Sender-Auth: F4FQ8ZaWisnbz5YjPW8dh5WYKAo
Message-ID: <>
To: John R Levine <>
Cc: SPASM <>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <>
Subject: Re: [lamps] DNS DNAME pain.
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 09 Nov 2017 17:49:35 -0000

On Thu, Nov 9, 2017 at 11:53 AM, John R Levine <> wrote:
> On Thu, 9 Nov 2017, Phillip Hallam-Baker wrote:
>>> DNAME only maps names below it, so the CAA is fine.
>> That is my understanding from the text, the example suggests
>> otherwise. I would like to check that the old behavior of not matching
>> the root is still valid.
> It hasn't changed.  For a long time the .CAT domain made a poor attempt to
> map ASCII and accented versions of names using DNAME, and I found out all
> about DNAME+other stuff.
>>> There's a BNAME proposal kicking around that is sort of a combined
>>> CNAME and DNAME, mapping everything at and below the name.  Or do you
>>> mean something else like a translucent DNAME that only maps if there's
>>> nothing at the actual name?
>> I am aware that there have been proposals circulating, I have not been
>> tracking them directly. They seem to always be about to happen in a
>> year or two.
> BNAME is going nowhere because it doesn't solve the problem it's supposed to
> solve, mapping variant names together.  If you want, say, a pair of
> traditional and simplified Chinese names to act the same, you have far more
> work provisioning web and mail servers than the DNS.

Like many other DNS proposals, the only way that can work is if the
services are getting their configuration data from the same source of
truth as the authoritative DNS server

That is something I have been building for my own use. When a Docker
container pops up, it should register itself in the DNS as one of the
handlers for that service. When it dies, it should be unregistered.