[dns-operations] CNAME at the apex breaks DNSSEC DS lookups from caches

Robert L Mathews lists at tigertech.com
Sat Apr 16 17:45:28 UTC 2022

On 4/15/22 1:56 PM, Emmanuel Fusté wrote:
> Firefox and Chrome have HTTPS/SVCB support enabled since two to four 
> major release and since years on ios.

That's recent in client terms, though (and it doesn't look like 
Microsoft Edge supports it yet, for example). It will take at least a 
decade until people feel like they can rely on 99% of clients supporting it.

Even then, it will probably never actually get to 99%, and people are 
just going to keep using "CNAME at the apex" for the other 1%+.

The ANAME draft would have offered an immediate alternative to any DNS 
operator who wanted it, that worked 100% of the time, without needing 
any client updates.

 >CNAME at the apes is only for browser/marketing purpose

Sure, but marketing is what makes people do things on the Internet. 
Technical people are never going to be able to tell marketing people "We 
made a change that means that X% of people who type 'example.com' 
instead of 'www.example.com' see an error now", no matter how low X 
gets. <shrug>

Robert L Mathews

More information about the dns-operations mailing list