I support trying to come up with a standards solution for alias names at the apex. But....
The dependency on online signing is a little more then just a technical issue. Currently the zone owner, the holder of the domain name, is the one having control over the zone content and as such also the one deciding who may sign her zone. She may choose to delegate this to a DNS operator, or she may decide to sign the zone herself and let the DNS operator serve the signed zone. Currently all DNS Resource Records support the "offline" domain-name holder signed zones mode of DNSSEC. There is another provisioning oriented resource record: DNAME. For DNAME, it is described how validators can verify that the followed referral matches. The same thing should be done for ANAME. It would be a new DNSSEC feature that need to be supported by the DNSSEC validators. There has been an earlier instance of the introduction of a new DNSSEC feature: NSEC3. The introduction of a DNSSEC compatible ANAME should be done the same way as how NSEC3 was introduced: introduce new algorithm numbers that indicate ANAME support. We currently have 12 DNSSEC algorithms. The introduction of a new feature could list these same algorithm from number 17 up to 29, with the indication that it supports the new DNSSEC features, ANAME would be one of them. NSEC5 another maybe? Op 27-05-17 om 23:36 schreef internet-dra...@ietf.org: > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > This draft is a work item of the Domain Name System Operations of the IETF. > > Title : Address-specific DNS Name Redirection (ANAME) > Authors : Evan Hunt > Peter van Dijk > Anthony Eden > Filename : draft-ietf-dnsop-aname-00.txt > Pages : 10 > Date : 2017-05-27 > > Abstract: > This document defines the "ANAME" DNS RR type, to provide similar > functionality to CNAME, but only redirects type A and AAAA queries. > Unlike CNAME, an ANAME can coexist with other record types. The > ANAME RR allows zone owners to redirect queries for apex domain names > in a standards compliant manner. > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-dnsop-aname/ > > There are also htmlized versions available at: > https://tools.ietf.org/html/draft-ietf-dnsop-aname-00 > https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-aname-00 > > > Please note that it may take a couple of minutes from the time of submission > until the htmlized version and diff are available at tools.ietf.org. > > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop > _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
