[dns-operations] CNAME at the apex breaks DNSSEC DS lookups from caches

John Levine johnl at taugh.com
Sat Apr 16 21:20:19 UTC 2022

It appears that Robert L Mathews <lists at tigertech.com> said:
>That's recent in client terms, though (and it doesn't look like 
>Microsoft Edge supports it yet, for example). It will take at least a 
>decade until people feel like they can rely on 99% of clients supporting it. ...

>The ANAME draft would have offered an immediate alternative to any DNS 
>operator who wanted it, that worked 100% of the time, without needing 
>any client updates. ...

I am intrigued at the idea that browsers take a decade to update while
DNS servers update instantly.

If that's what you want, it is not hard to fake an ANAME in DNS
provisioning software. That's what I've been doing for a long time. My
DNS servers just see the A and AAAA records that the provisioning
stuff copies into the zone.


More information about the dns-operations mailing list