On Wed, 13 Mar 2024, Mark Andrews wrote:
The obvious example is CNAME chains. In 1034/1035 the only use
contemplated for CNAME was temporary forwarding when a host name
changed, and for that use, chained CNAMEs made no sense. Now they
delegate authority to different points of control in many different
ways. For applications like CDNs, you need two or three link CNAME
chains and nobody appears to find that a problem.
Actually it is a problem. It results in lots of additional lookups.
That in turn results in amplification bug reports being reported from
universities looking for the latest way to abuse the DNS to launch
DoS attacks. And it is not 3 CNAMEs, you are looking at 5+ CNAMEs
today.
Whatever it is, it's a lot more than one, and we've been able to deal with it.
I agree with you that a lot of CNAME applications could better be done
another way (someone pointed out that Cloudflare does CDNs with no CNAMEs
at all) but at this point the costs of forcing people to use fewer CNAMEs
are unlikely to be worth the pain.
Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
