Dear colleagues,

I managed to delete instead of sending my note on this topic earlier
today, and my brain is sufficiently soft that I couldn't just re-type
it out.  Nevertheless,

On Tue, Jul 18, 2017 at 03:19:44PM +0200, Willem Toorop wrote:
> I support trying to come up with a standards solution for alias names at
> the apex.  But....

I agree with this, and

> The dependency on online signing is a little more then just a technical
> issue.

also this.  

> Currently all DNS Resource Records support the "offline" domain-name
> holder signed zones mode of DNSSEC.  There is another provisioning
> oriented resource record: DNAME.  For DNAME, it is described how
> validators can verify that the followed referral matches. The same thing
> should be done for ANAME.

The problem is that DNAME has another feature that ANAME (and other
things like BNAME) can't: RFC 6672 gives the reasons why all
validators must also be able to cope with DNAME.  This was a fact (or
maybe accident) of history.  It is just not true of ANAME, and that
means that much of section 3 of the I-D is far too weak.  It needs to
say that, if you can't sign online, then you will break DNSSEC.

It is very strange for us to suggest this, but I think there are only
two options: either DNSSEC means we can never do any more aliasing, or
else we have to accept that some kinds of innovation in the DNS is
going to break DNSSEC sometimes, and allow zone operators to decide
whether they want to break validation (and therefore lose the
connections) or whether they want to serve everyone.

Alternatively, of course, we can follow the multiple-algorithm
approach that others have suggested.  This has the disadvantage of
bloating the DNSKEY RRset for anyone who wants to use these features,
of course, so it is also not free.

I'm also slightly concerned about this at the end of 3.3:

   The type bit map SHOULD only include address types which are known
   to exist at the <target>

Is the advice really to ask for both and then incorporate what is
known?  That seems maybe safer advice.

I also wonder whether the document would be easier to understand if it
were broken up into smaller chunks dealing separately with the
authorities, intermediates, and stubs.  It could be that nobody else
find these items too tangled in the current I-D, but if others do I
can propose text.

A

-- 
Andrew Sullivan
a...@anvilwalrusden.com

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to