[dns-operations] Resolvers, DNSKEY queries and zone apex CNAMEs?
Paul Vixie
paul at redbarn.org
Thu Jan 23 22:07:59 UTC 2020
On Thursday, 23 January 2020 21:43:48 UTC Viktor Dukhovni wrote:
> [ I think the issue merits some attention beyond just giving up. Anyone
> else care to comment? ]
apex cname is a bad idea that can't be stopped. modern dns has a lot of these,
for example ECS and what i once called "stupid DNS tricks"[1]. anything that
anybody wants to do is a possible topic for wide deployment and eventual
standardization, and system coherence be damned.
HTTPSSVC is the right answer for this. we should push _hard_ on that rather
than distracting our energies with trying to fix the DNSSEC problems related
to apex cname. to DNSSEC, a name is either canonical or not. if it's not it
will have a CNAME and only a CNAME -- and this is a good thing.
--
Paul
[1] https://queue.acm.org/detail.cfm?id=1647302
More information about the dns-operations
mailing list