[dns-operations] Any DNAME usage experience?
ietf-dane at dukhovni.org
Sun Mar 29 20:40:15 UTC 2020
On Sun, Mar 29, 2020 at 04:15:07PM -0400, John Levine wrote:
> >I see some administrators succesfully using DNAMEs to retarget
> >the entire "_tcp" subtree of a set of hosts to a common location.
> >Something along the lines of:
> > _tcp.mail1.example.com. IN DNAME _dane.example.com.
> > _tcp.mail2.example.com. IN DNAME _dane.example.com.
> > _tcp.mail3.example.com. IN DNAME _dane.example.com.
> > *._dane.example.com IN TLSA 2 1 1 ...
> >This works fine.
> I suppose, although for this application, wouldn't this work just as well?
> *._tcp.mail1.example.com. IN CNAME _dane.example.com.
> *._tcp.mail2.example.com. IN CNAME _dane.example.com.
> *._tcp.mail3.example.com. IN CNAME _dane.example.com.
> _dane.example.com IN TLSA 2 1 1 ...
If (as above) all the ports map to a single target TLSA RRset, then yes,
CNAMEs at the leaves also work.
> I can see that if you had both mail and web with _25 and _443 TLSA,
> DNAME might be a little easier to set up.
The actual user in question publishes TLSA RRs for only a selected
subset of ports, e.g. for 25 and 443, but not 587.
DNAME is a bit more flexible in this context. It is by no means
popular. Among 1.87 million domains with DANE TLSA RRs for their
primary MX hosts, 524 alias their TLSA RRs, of which three use DNAMEs
And there are 2 TLDs that employ DNAMEs:
; Taiwan simplified -> traditional
xn--kprw13d. IN DNAME xn--kpry57d.
; Iran arabic -> subdomain
xn--mgba3a4f16a. IN DNAME xn--mgba3a4f16a.ir.
It is even possible that a decent fraction of the world's DNAME RRs are
operated single-handedly by Tony Finch under cam.ac.uk. :-)
Bottom-line, they're used infrequently, but they do seem to work.
More information about the dns-operations