Paul Wouters <p...@nohats.ca> wrote: > > > With this model, signing only happens where it currently happens. > > Good. Although if you want to return bar's IP if it is different from > foo's IP and for resolvers that don't understand ANAME, you have to > synthesize these, but at least then it is nor worse then DNS64 with > respect to DNSSEC.
Who is "you" in this sentence? If you are a secondary authoritative server, then you're almost certainly oblivious to the target address records, but even if you do know them, you aren't able to substitute them because the ANAME's zone is probably signed and you don't have the keys. If you are a recursive server, you can substitute if DO=0 or if the ANAME's zone is unsigned. It would be nice if clients that make DO=1 queries also know about ANAME so they can substitute if required, but that isn't necessary for correctness. ANAME is much less bad than DNS64 because DNS64 requires knowledge about the prefix used for tunneling, whereas ANAME substition doesn't need any information beyond the additional section of the response you just got. And ANAME substitution isn't necessary for in the way DNS64 is, i.e. connectivity works if you don't substitute ANAME sibling address records, but it doesn't if you lose DNS64 substitution. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ no one shall be enslaved by poverty, ignorance, or conformity _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop