In article <9232f4f4-772f-48aa-80fb-c990662af...@powerdns.com> you write: >On 31 Mar 2017, at 1:08, John Levine wrote: > >>> If you sign offline, what happens when the A records change? >> >> You Lose(tm). For that matter, you lose even when the A records don't >> change since the signer only sees the ANAME, not the A or AAAA. > >There are PowerDNS ALIAS deployments that signs offline (for some >stretch of the definition of offline) - every minute. For small zones >the NOTIFY+XFR overhead is very tolerable, and the public auths do not >need the private key data.
Sure. That's what I do, too, but I'd call that doing it on the provisioning side. >> so I have to do the mail and DNS. On my server, the aname-like things >> can specify what server to query as well as what name, so it >> automatically follows the A and AAAA records that the web host >> publishes in their DNS. > >You could point your ANAME-aware auth at a specific resolver that has >stub zones configured for those domains, and then this would work with >ANAME as well. I don't see the benefit -- that just adds an extra level of kludge in the middle. If this is worth doing at (I think it is) why not just put it into ANAME? >And, of course, any auth implementer is free to not implement ANAME if he does >not like the requirements. Now we're back to the same issue I raised with BULK. Everyone now has to carefully check what features are supported by all of their secondary servers, as opposed to now where I don't even know or care what software they use. Some of us hoped we got over that once DNSSEC got into the mainstream auth servers. R's, John _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
