Erik Nygren <erik+i...@nygren.org> 于2020年2月27日周四 上午5:38写道:
> On Wed, Feb 26, 2020 at 2:34 PM Lanlan Pan <abby...@gmail.com> wrote: > >> My option: >> 1) ANAME just configured in zonefile, and anlayzed by authoritative >> server. >> 2) Authoritative server response to recursive (or resolver) on its policy >> as before, such as geo-ip, GSLB, ... >> 3) No upgrade on recursive and resolver. >> > > I don't follow how this works for the non-trivial static case. > You have two authoritative parties, one for the authoritative zone > and one authoritative for the ANAME target. > Both are operated by different entities. > > The logic and policy for the ANAME target (involving geo-ip, GSLB, etc) > is often highly dynamic and proprietary. How does this get conveyed > from the authorities for the ANAME target to the authorities for the zone > containing the ANAME? This is where we seem to get stuck. > Agree, CDN target is high dynamic. > > > CNAMEs provide an abstraction here given that they're implemented > and followed by recursives so policies can be implemented based > on the recursive IP and/or the ECS sent by the recursive IP. > > With an authority-only ANAME, the geo-ip/GSLB/etc policy can't > be implemented by the authority for the zone containing the ANAME > and any requests the authority makes won't be fine-grained enough > to be useful. > Just configure ANAME in the zonefile, authortitative return response is CNAME, no ANAME. If enable DNSSEC, this will cause some dynamic signature calculation(ECDSA will be better). > > If the customer problem is "I want to be able to CNAME example.com to > example.com.some-example-cdn.net" then ANAME won't solve if > it users don't get directed to the right place or if the service provider > for the target of the ANAME makes it clear that this configuration > voids any performance+availability SLAs. > Yes, the common problem is no more clear information to select the best IP. I think ANAME is not a "must" upgrade for recursive. Public recursive has designed many policies to deal with multiple CNAME RRs response (from ECS queries, or different resolve servers receive different CNAME from authoritative). > Erik > > >
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
