>If you sign offline, what happens when the A records change? You Lose(tm). For that matter, you lose even when the A records don't change since the signer only sees the ANAME, not the A or AAAA.
I did an ANAME like feature in my DNS system, entirely on the provisioning side. It does offline signing, zones are constructed by the provisioning software, expanding the anames, then signed, then given to the master server, NSD in my case. It remembers which zones have anames and rechecks them every hour, redoing the zone's expansion and signing if they've changed. This lets me do things that regular ANAME can't, in particular shadowing data from a server that is not authoritative for the zone. My users often host their web sites at hosting providers that insist you use their name servers, except that they don't provide usable mail so I have to do the mail and DNS. On my server, the aname-like things can specify what server to query as well as what name, so it automatically follows the A and AAAA records that the web host publishes in their DNS. My objection to ANAME is more or less the same as it is to BULK, even though ANAME is vastly less complex. It requires that an authoritative server include a recursive client and do online signing, both of which would be rather large additions to the mandatory set of server features. I think it'd be fine to reserve ANAME as a pseudo-rrtype so that people can do the name following magic consistently in their provisioning software, but I wouldn't want to put it into DNS servers. R's, John _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
