Op 18-07-17 om 18:09 schreef Tony Finch: > The other kind of DNS server that might be able to do something useful > with ANAME is a recursive server, so it could co-operate nicely with > authoritative servers that are playing clever tricks. But the rDNS will > have to be careful about not breaking downstream validators. > > Say (for example) my zone has: > > dotat.at. ANAME www.chiark.greenend.org.uk. > dotat.at. RRSIG ANAME > dotat.at. A 212.13.197.229 > dotat.at. RRSIG A > dotat.at. AAAA 2001:ba8:1e3:: > dotat.at. RRSIG AAAA > > A client queries its resolver for dotat.at A, but chiark has renumbered, > so the client gets a response from the ANAME-aware resolver like below. A > validating ANAME-aware client can see it should use the additional address > 212.13.197.231 in preference to the address in the answer. > > ; ANSWER > dotat.at. A 212.13.197.229 > dotat.at. RRSIG A > > ; ADDITIONAL > dotat.at. AAAA 2001:ba8:1e3:: > dotat.at. RRSIG AAAA > dotat.at. ANAME www.chiark.greenend.org.uk. > dotat.at. RRSIG ANAME > www.chiark.greenend.org.uk. A 212.13.197.231 > www.chiark.greenend.org.uk. RRSIG A > www.chiark.greenend.org.uk. AAAA 2001:ba8:1e3:: > www.chiark.greenend.org.uk. RRSIG AAAA > > Note that neither the resolver nor the client needs any algorithm updates > to avoid being confused by this additional information; they just need a > code update so that they are able to make good use of it. > > If the resolver knows the client is DNSSEC-oblivious then it can do the > substitution itself and return a simple answer like this: > > dotat.at. A 212.13.197.231 > > Validating but ANAME-oblivious resolvers won't get to enjoy clever > latency minimization tricks.
Yes! This should be included in the aname draft. Thanks, -- Willem > > Tony. > _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
