[DNSOP] RFC 8482 (the ANY -> HINFO hack) and DNAME

Thu, 14 Nov 2019 06:41:11 -0800 

Hello,
We just implemented DNAME support on an authoritative server that already implements giving an HINFO response to ANY queries, as described in RFC 8482. 


RFC 8482 is clear about not allowing the HINFO response if there is a 
CNAME record at the name. While no rationale is given in the RFC, it 
seems clear that this is because a CNAME cannot exist with any other 
record, so replying with HINFO might break things, or at least cause 
confusion.



What is not clear is what to do DNAME subtree responses. (For ANY 
queries that match the name of the DNAME record itself, we apply the 
normal RFC 8482 logic, which seems reasonable.)



DNAME provides synthesized CNAME answers, presumably to help resolvers 
that do not support DNAME. On the one hand, if this is important then 
probably performing the normal DNAME logic and returning these 
synthesized records makes sense. On the other hand, it seems unlikely 
that any resolver actually sends ANY queries to authoritative servers. 
However RFC 8482 seems to disagree with this, since the 
resolver/authoritative interaction is specifically called out:


   Alternative proposals for dealing with ANY queries have been
   discussed.  One approach proposes using a new RCODE to signal that an
   authoritative server did not answer ANY queries in the standard way.
   This approach was found to have an undesirable effect on both
   resolvers and authoritative-only servers; resolvers receiving an
   unknown RCODE would resend the same query to all available
   authoritative servers rather than suppress future ANY queries for the
   same QNAME.


We have chosen to perform CNAME synthesis for ANY queries that match a 
DNAME subtree, based on the logic that if CNAME is special when added by 
hand then it is probably also special when synthesized.



I'm interested in what the DNSOP group thinks the correct behavior is, 
and also if it makes sense to update RFC 8482 to clarify the expected 
behavior for DNAME.


Cheers,

--
Shane

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop






















					Reply via email to