[lamps] DNS DNAME pain.
Phillip Hallam-Baker <phill@hallambaker.com> Thu, 09 November 2017 16:06 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B65E4126557 for <spasm@ietfa.amsl.com>; Thu, 9 Nov 2017 08:06:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.7
X-Spam-Level:
X-Spam-Status: No, score=-1.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.199, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t4xnpRnkkRbB for <spasm@ietfa.amsl.com>; Thu, 9 Nov 2017 08:06:41 -0800 (PST)
Received: from mail-ot0-x232.google.com (mail-ot0-x232.google.com [IPv6:2607:f8b0:4003:c0f::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2035B1286AB for <SPASM@ietf.org>; Thu, 9 Nov 2017 08:06:36 -0800 (PST)
Received: by mail-ot0-x232.google.com with SMTP id 15so5704583otj.7 for <SPASM@ietf.org>; Thu, 09 Nov 2017 08:06:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:from:date:message-id:subject:to; bh=GsUESwac3/0mY5nfWMfwZdzaIJK8WnNxNkCXtDVokak=; b=QRt7hQOYFfi1Fq/GLUOQWHRyzzGFNCOsJJcN0/yV40FbGLDyLSpJC1wXZKbrg5thLd RgTDmViz/UD60wYjyLjBMxLNielyAo1s68igb8Zth7Wxz01T6513rIy71DeZEQ6Ydzu5 zyzWlLeoPnKSe14xVIQTi5twCOl87RauQC4C2KMO1ViKWyrWSA/TVask1JF0xAo5unDA cimROVHtlKdEKDYgRCnZTEPhahm5Azp8H3ySZ0dDqySOzLmPYQqtATx+QLvcTIbCrW05 i9gW5JdS9Zzd4ut/P9FSSHiG0bGWRsvdYYn+g4eSoNJS8lnBcdakIiVkP8ZTN6UqcyG/ p+zA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:from:date:message-id:subject :to; bh=GsUESwac3/0mY5nfWMfwZdzaIJK8WnNxNkCXtDVokak=; b=ez1Z+2aPj+tRB+C6mhaI2zp2Q5/2m0ml8iZydAuZi3b/8oIMlyekQ/Daqkt+E/zyVj Qo/qcEoBhQ3PkZ5lGNUpijrZ6VLvxkLYpZciwjw7/hz2LryFddvp4UdQS/hM+j3V4IQF tWbi/mqE/Wufy2Nogy5CfCjLRIW1ASMdlzAb2AUt+vmOWYf1/fO2UxrVFCw1ctV1O2+x WJ+HbRGS250yWwzeE610ryP1Bodx4PcuQVCtVz8210RYoQw2jPlScocNuG3MS4RALWe+ jRNcA2oHjCwwDISOs3ZJ4YZap2uij3nsdQcVyf3MC8O9kSIJOfVOdmeJBzfyN5BIabX4 qHwg==
X-Gm-Message-State: AJaThX7VPMN5UtDtFgA3m/xJjHQCUqrpG9tdaUJNQfIO451lTzOBgbtA eWt8Kg8wRBpuLKB0QwH4MkOeIDADElq1ysrpoFqaEA==
X-Google-Smtp-Source: AGs4zMYoi8PHYkKj5PFGM2p/lYA/qoF3+g8Xdl+9p1qCT9psPi+PmSRtN8/VabTpcmhaOt4aopicvxAg16EEDYy4JeI=
X-Received: by 10.157.61.226 with SMTP id l89mr652873otc.269.1510243595046; Thu, 09 Nov 2017 08:06:35 -0800 (PST)
MIME-Version: 1.0
Sender: hallam@gmail.com
Received: by 10.157.42.230 with HTTP; Thu, 9 Nov 2017 08:06:34 -0800 (PST)
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Thu, 09 Nov 2017 11:06:34 -0500
X-Google-Sender-Auth: PqiV7f9qShHx5EALTwA4vhYIHSU
Message-ID: <CAMm+LwgMkSq7xVhVe_tYs7t46qmB9iVs92_SM3MOMeFCqWinbA@mail.gmail.com>
To: SPASM <SPASM@ietf.org>, Olafur Gudmundsson <ogud@ogud.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/qYayF-zl__lmnGzkyEoORN2zeoc>
Subject: [lamps] DNS DNAME pain.
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Nov 2017 16:06:42 -0000
I am trying to work out whether the restrictions in RFC6672 make use of prefix records impossible. Specifically, a DNAME is not allowed to have any records below it and worse, section 2.4 states: "A server MAY refuse to load a zone that has data at a subdomain of a domain name owning a DNAME RR. If the server does load the zone, those names below the DNAME RR will be occluded as described in RFC 2136 [RFC2136], Section 7.18." This is called making things hard. DNAME was originally developed to help manage reverse DNS during IP address space renumbering, a problem we solved by abandoning the reverse DNS. It is really not suited for the task it is used for (as we have discovered when trying to use it for forward DNS, What this means is that we can't have RRs like the following: example.net DNAME example.com _prefix.example.net CAA foo It is not clear to me how the following is required to be interpreted: example.net DNAME example.com example.net CAA foo The situation is of course very different depending on what forms of DNS zone validation are performed in deployed systems and indeed whether the restrictions on DNAME mean that it is either not used at all or if the existing uses already violate parts of RFC6672. It might well be that the way to solve the DNAME problem is to specify a new zone mapping record that does the job in a way that meets DNS admins needs. That is currently a possibility because use of DNSSEC is mostly limited to signing. The only folk verifying are folk who either really know what they are doing or whose systems are always breaking anyway. That window is likely to close at some point.
- [lamps] DNS DNAME pain. Phillip Hallam-Baker
- Re: [lamps] DNS DNAME pain. John Levine
- Re: [lamps] DNS DNAME pain. Phillip Hallam-Baker
- Re: [lamps] DNS DNAME pain. John R Levine
- Re: [lamps] DNS DNAME pain. Phillip Hallam-Baker
- Re: [lamps] DNS DNAME pain. John R Levine
- Re: [lamps] DNS DNAME pain. Phillip Hallam-Baker