Willem Toorop <wil...@nlnetlabs.nl> wrote: > > The dependency on online signing is a little more then just a technical > issue.
I need to review the draft properly, but I do not think ANAME should require any online signing. In my view an authoritative server which does online signing and on-demand record synthesis is a master server. You can make all your public authoritative servers into masters if you like, but it must not be required. If (like me) you have a more traditional setup then ANAME is an instruction to the master server about zone maintenance, saying that it needs to periodically update the sibling A and AAAA records, similar to periodic re-signing, or as if some script were periodically `nsupdate`ing the records. The secondary servers can continue to work the same as they do now, but they'll work better if they know about some helpful additional section rules for ANAME. (That is basically how my bodged-up ANAME implementation works, in my zone provisioning scripts.) The other kind of DNS server that might be able to do something useful with ANAME is a recursive server, so it could co-operate nicely with authoritative servers that are playing clever tricks. But the rDNS will have to be careful about not breaking downstream validators. Say (for example) my zone has: dotat.at. ANAME www.chiark.greenend.org.uk. dotat.at. RRSIG ANAME dotat.at. A 212.13.197.229 dotat.at. RRSIG A dotat.at. AAAA 2001:ba8:1e3:: dotat.at. RRSIG AAAA A client queries its resolver for dotat.at A, but chiark has renumbered, so the client gets a response from the ANAME-aware resolver like below. A validating ANAME-aware client can see it should use the additional address 212.13.197.231 in preference to the address in the answer. ; ANSWER dotat.at. A 212.13.197.229 dotat.at. RRSIG A ; ADDITIONAL dotat.at. AAAA 2001:ba8:1e3:: dotat.at. RRSIG AAAA dotat.at. ANAME www.chiark.greenend.org.uk. dotat.at. RRSIG ANAME www.chiark.greenend.org.uk. A 212.13.197.231 www.chiark.greenend.org.uk. RRSIG A www.chiark.greenend.org.uk. AAAA 2001:ba8:1e3:: www.chiark.greenend.org.uk. RRSIG AAAA Note that neither the resolver nor the client needs any algorithm updates to avoid being confused by this additional information; they just need a code update so that they are able to make good use of it. If the resolver knows the client is DNSSEC-oblivious then it can do the substitution itself and return a simple answer like this: dotat.at. A 212.13.197.231 Validating but ANAME-oblivious resolvers won't get to enjoy clever latency minimization tricks. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ - I xn--zr8h punycode East Sole, Lundy, Fastnet, Irish Sea: Easterly becoming cyclonic 4 or 5, increasing 6 or 7 at times. Slight or moderate. Fair then thundery showers, fog patches later. Moderate or good, occasionally very poor later. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
