Answer vs Additional sections

each / draft-aname

work on a draft to standardize ANAME/ALIAS records to allow CNAME-like records at the zone apex

7 stars 4 forks source link

Answer vs Additional sections #62

Closed matje closed 5 years ago

matje commented 5 years ago

[MM: Discuss what should be in the additional section: ANAME makes sense, but differs from CNAME logic (where the CNAME is in the answer section). Additional target records that match the query type in my opinion should go in the answer section. Additional target address records that do not match the query type can go in the additional section].

[TF: from experience with DNAME I think there's a risk of interop problems if we put unexpected records in the answer section, so I said everything should go in additional. We'll expand this appendix to explain the rationale.]

each commented 5 years ago

I agree that there's a chance of interop problems, but the possibility of unexpected answer-section data is well-established, and since we have already been through through DNAME (and RRSIG as well) I imagine most of the implementations that would choke on ANAME have already been culled from the herd.

IMHO it makes more sense to use the answer section. The additional section implies a lower trust level, and that the record is optional and can be removed when minimizing responses.

each commented 5 years ago

To clarify, I mean I think the ANAME should be in the answer section. I just saw that you also mentioned additional target addresses, i.e., an AAAA response that might be included if someone queried explicitly for ANAME or for A. In that case, I do think the additional section is fine.)

matje commented 5 years ago

There is also a difference of what goes where depending on what is queried for:

QTYPE=ANAME:

ANAME in the answer section.
Address queries (A, AAAA) in the answer or additional section.

QTYPE=A:

A in the answer section.
ANAME in the answer or additional section.
AAAA in the additional section (OPTIONAL).
Target address records in the additional section (OPTIONAL).

QTYPE=AAAA:

AAAA in the answer section.
ANAME in the answer or additional section.
A in the additional section (OPTIONAL).
Target address records in the additional section (OPTIONAL).

fanf2 commented 5 years ago

DNAME took a very long time to become deployable because of packet parsers choking on unexpected records in the answer section. We have a /24 containing a mail server that uses CNAME reverse DNS instead of DNAME for this reason (though I have not checked if it works better with DNAME in recent years). The forward DNS is much harder than the reverse.

It is likely that parsers were not fixed to be as lenient as you might hope. RRSIG is different: the client asks for RRSIG by setting DO=1, whereas DNAME was unexpectedly foisted on clients that were unprepared. We should not repeat DNAME’s mistake.

each commented 5 years ago

@matje, I may be confused here, what's the difference between the A, AAAA, and "target address records"?

matje commented 5 years ago

@each A, AAAA are the address records matching the QTYPE, that are at the same name as the ANAME, also known as the sibling address records.

The target address records are the A, AAAA records that the ANAME record points to, so to say the domain on the right side of the ANAME.

matje commented 5 years ago

I feel like the rough consensus on the dnsop mailing list is to put the ANAME in the answer section for QTYPE=A|AAA. I will adjust the text such that it matches that.