[dns-operations] CNAME at the apex breaks DNSSEC DS lookups from caches
Robert L Mathews
lists at tigertech.com
Sat Apr 16 17:45:28 UTC 2022
On 4/15/22 1:56 PM, Emmanuel Fusté wrote:
> Firefox and Chrome have HTTPS/SVCB support enabled since two to four
> major release and since years on ios.
That's recent in client terms, though (and it doesn't look like
Microsoft Edge supports it yet, for example). It will take at least a
decade until people feel like they can rely on 99% of clients supporting it.
Even then, it will probably never actually get to 99%, and people are
just going to keep using "CNAME at the apex" for the other 1%+.
The ANAME draft would have offered an immediate alternative to any DNS
operator who wanted it, that worked 100% of the time, without needing
any client updates.
>CNAME at the apes is only for browser/marketing purpose
Sure, but marketing is what makes people do things on the Internet.
Technical people are never going to be able to tell marketing people "We
made a change that means that X% of people who type 'example.com'
instead of 'www.example.com' see an error now", no matter how low X
gets. <shrug>
--
Robert L Mathews
More information about the dns-operations
mailing list