[dns-operations] Resolvers, DNSKEY queries and zone apex CNAMEs?

Ray Bellis ray at isc.org
Thu Jan 23 22:25:44 UTC 2020


On 23/01/2020 22:07, Paul Vixie wrote:

> apex cname is a bad idea that can't be stopped. modern dns has a lot of these, 
> for example ECS and what i once called "stupid DNS tricks"[1]. anything that 
> anybody wants to do is a possible topic for wide deployment and eventual 
> standardization, and system coherence be damned.
> 
> HTTPSSVC is the right answer for this. we should push _hard_ on that rather 
> than distracting our energies with trying to fix the DNSSEC problems related 
> to apex cname. to DNSSEC, a name is either canonical or not. if it's not it 
> will have a CNAME and only a CNAME -- and this is a good thing.

+lots!

I hoped my HTTP record draft might have been the solution, but even
though that's now dead I like to think that it helped catalyze the
browser folks towards HTTPSSVC.

CNAME was *never* the right answer for directing traffic for a domain to
a specific host, but it happened to work and was the only tool in that
toolbox at the time.  Attempting to extend it to the apex just makes
that worse.

Ray





More information about the dns-operations mailing list