Paul Wouters <> wrote:
> > With this model, signing only happens where it currently happens.
> Good. Although if you want to return bar's IP if it is different from
> foo's IP and for resolvers that don't understand ANAME, you have to
> synthesize these, but at least then it is nor worse then DNS64 with
> respect to DNSSEC.

Who is "you" in this sentence?

If you are a secondary authoritative server, then you're almost certainly
oblivious to the target address records, but even if you do know them, you
aren't able to substitute them because the ANAME's zone is probably signed
and you don't have the keys.

If you are a recursive server, you can substitute if DO=0 or if the
ANAME's zone is unsigned. It would be nice if clients that make DO=1
queries also know about ANAME so they can substitute if required, but that
isn't necessary for correctness.

ANAME is much less bad than DNS64 because DNS64 requires knowledge about
the prefix used for tunneling, whereas ANAME substition doesn't need any
information beyond the additional section of the response you just got.
And ANAME substitution isn't necessary for in the way DNS64 is, i.e.
connectivity works if you don't substitute ANAME sibling address records,
but it doesn't if you lose DNS64 substitution.

f.anthony.n.finch  <>
no one shall be enslaved by poverty, ignorance, or conformity

DNSOP mailing list

Reply via email to