I’m getting confused about what the exact semantics of the proposed mechanisms
are.
Q1: The intent is that ALIAS/ANAME/etc are a fallback rewrite operation if the
name does not have the type asked for?
Q2: Is there a good reason to restrict this to just the apex of a zone?
Q3: Is there a good reason to restrict the target of A* to be in-zone ?
Q4: Is there a good reason to restrict this to specific types? (Think about
DANE cases with names like _443._tcp.@apex)
On Sep 22, 2014, at 6:03 AM, Tony Finch <d...@dotat.at> wrote:
> I can see roughly three ways this might be done, in order of increasing
> complexity...
>
> (1) Master-only. The master observes an ANAME record at the apex of a zone
> it loads and uses it to periodically refresh the relevant records in the
> zone (as if you had a cron job running dig | magic | nsupdate).
>
> Disadvantage: potentially lots of XFR traffic if the TTLs are low.
Disadvantage: if the target is a CNAME what does the master do?
It either need to know ALL possible types that may exist or use NSECx record to
determine what exists.
Possible disadvantage: Master/master signer needs access to resolver to access
out of zone-data.
Further disadvantage: if the A* target is out of zone at a CDN then the answers
the “master” gets back reflect its
location.
>
> (2) Authority-only: All authority servers recognize ANAME records,
> PowerDNS style.
>
> Disadvantage: all authority servers need DNSSEC private keys.
Not an absolute requirement, we could play type code tricks that allow master
server to store
A* target records as different types but servers know that to check for them if
A* exists.
Disadvantage: All authority serves supporting A* need to know about type
translation and signers need to know to perform actions.
>
> (3) DNAME-style: Authority servers and resolvers recognize ANAME records.
> ANAME-aware servers (auth and rec) return the synthesized records for
> backwards compatibility, without signatures. For DNSSEC purposes the
> signed ANAME goes in the answer section and the original signed target
> goes in the additional section.
>
> Disadvantages: forklift upgrade; DNSSEC codepoint rollover.
>
You mean DNSKEY alg code points,?
We only have 5 popular algorithms so that is not a big deal?
Olafur
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
