In message <[email protected]>, Ralf Weber writes: > Moin! > > On 21 May 2014, at 10:50, Klaus Malorny <[email protected]> wrote: > > please take into account that a CNAME + DNAME, the previously discussed BNA > ME or the now discussed ENAME solution is still interesting for domain name r > egistries that have to deal with (maybe lots of) IDN variants. I don't think > that SRV records are a viable solution for their use case. > A combination of DNAME (which exists) and SRV should work or? But am not sure > if it is a good thing. > > Just let me give you an operational subjective observation from dealing with > certain kinds of *NAME based redirection over 20 years running DNS servers. T > hey caused mostly grief and problems since they been around. This of course i > s caused by the different semantics (a CNAME redirects every record type, and > thus their can't be another record type at that node) compared to other reso > urce records, that even the authors of some software did not understood (some > versions of bind could load CNAME and other data at the same node). Once peo > ple understood this DNSSEC came around and changed that assumption again as e > ven a CNAME needs signatures.
More that it was assumed that people would read the rfc and enforce the prohibition themselves. When that wasn't happening it was first made into a warning '97 and fatal in '99. > Oh and then came DNAME for redirecting whole domain trees and that might have > been a nice idea if I have a couple of domains and want them all to have the > same data. But I do not know of Registries/Registrars that picked that up. O > r is there widespread deployment? > > Now having an ENAME that initially will break all existing DNSSEC resolvers ( > Who can't validate any longer, because they don't support the algorithm yet) > is IMHO not the right message when we want people to deploy DNSSEC and especi > ally do validation. No, it will not break DNSSEC resolvers. If you were to need to use ENAME and you are signing then only validators that were aware of ENAME would mark you as secure. The existing validators would treat you as insecure. If you don't need the ENAME functionality you would continue to use the existing algorithms when signing. Introducing NSEC3 did not break existing validators. Introducing ENAME will not break existing validators. > SRV has been defined for some time, there are applications using it and the a > pplication we are most interested in the Browser has a much shorter update cy > cle than the typical DNS Infrastructure, so why not use it, as they fallback/ > backwards compatibility mechanism also is there and understood (publish an A/ > AAAA record). > > So lets go for it. > > SO long > -Ralf > > _______________________________________________ > DNSOP mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
