[dns-operations] Introducing CNAME Flattening: RFC-Compliant CNAMEs at a Domain's Root
Phillip Hallam-Baker
hallam at gmail.com
Sun Apr 6 03:43:02 UTC 2014
On Sat, Apr 5, 2014 at 8:12 PM, Mark Andrews <marka at isc.org> wrote:
>
> In message <CAAF6GDeFhst9DyW1jpgb7JkrPG-KmDSM49ey_Ny+F=wsR_yKrQ at mail.gmail.com>,
> =?ISO-8859-1?Q?Colm_MacC=E1rthaigh?= writes:
>> On Sat, Apr 5, 2014 at 3:44 PM, Mark Andrews <marka at isc.org> wrote:
>>
>> >
>> > ; EDNS: version: 0, flags:; udp: 4096
>> >
>>
>> ...
>>
>>
>> > ;; ANSWER SECTION:
>> > _http._tcp.pkg.freebsd.OrG. 3485 IN SRV 50 10 80
>> > pkg0.bme.freebsd.org.
>> > _http._tcp.pkg.freebsd.OrG. 3485 IN SRV 10 10 80
>> > pkg0.isc.freebsd.org.
>> > _http._tcp.pkg.freebsd.OrG. 3485 IN SRV 90 10 80
>> > pkg0.ydx.freebsd.org.
>> > _http._tcp.pkg.freebsd.OrG. 3485 IN SRV 20 10 80
>> > pkg0.nyi.freebsd.org.
>> >
>>
>> ...
>>
>>
>> > ;; ADDITIONAL SECTION:
>> > gns0.freebsd.OrG. 3484 IN A 8.8.178.30
>> >
>>
>> It'd probably be beneficial for the additional section to contain the
>> A/AAAA records sets for the SRV targets here (which are in bailiwick, and
>> there's no other zonecut as far as I can tell), and could help avoid
>> another round-trip before the connect() can even be called.
>>
>> It's speculation on my part, but that behavior might be holding back SRV.
>> It's probably a hard-sell to expect browsers to perform two queries instead
>> of one, and to double the time they spend in DNS resolution.
>>
>> --
>> Colm
>
> They are marginally more expensive over a raw A/AAAA record and
> just as expensive as a CNAME record. You either wait for the
> recursive server to follow the CNAME chain in the first lookup or
> you wait for the second lookup. If the recursive server as the
> addresses you don't wait in either case and you get the address
> records either in the answer or additional sections.
>
> Add a little more smarts to the recurive server and it can prioritize
> the records it add to the additional section based on SRV values.
> The brower can do any missing address records lookups while doing
> the initial connect.
Or if we decide to add in encryption into the DNS client-server
protocol do it in a way that allows multiple queries per request
transaction and multiple UDP packets per response.
That way the benefit of DNSE is not just better security, there is a
performance advantage and improved functionality as well.
--
Website: http://hallambaker.com/
More information about the dns-operations
mailing list