[dns-operations] CNAME at the apex breaks DNSSEC DS lookups from caches

Doug McIntyre merlyn at geeks.org
Sat Apr 16 22:10:14 UTC 2022

On Sat, Apr 16, 2022 at 05:20:19PM -0400, John Levine wrote:
> It appears that Robert L Mathews <lists at tigertech.com> said:
> >That's recent in client terms, though (and it doesn't look like 
> >Microsoft Edge supports it yet, for example). It will take at least a 
> >decade until people feel like they can rely on 99% of clients supporting it. ...
> >The ANAME draft would have offered an immediate alternative to any DNS 
> >operator who wanted it, that worked 100% of the time, without needing 
> >any client updates. ...
> I am intrigued at the idea that browsers take a decade to update while
> DNS servers update instantly.

Its probably the idea that there are clients that hang onto their old
software for so long that it has to be come a relic before you can
reliably use the new technology.

Ie. as a webhost, we generally had to wait until Windows XP was dead and EOL
before we could effectively deploy SNI hosted sites exclusively.

Until that point, we'd have to ask and see about the target audience
of our hosting customers, and be prepared to shift them to unique IP address
if their customer base couldn't use SNI because they had too many
clients on old setups.

After it was EOL we could effectively tell our customers to tell their
clients that they can't support so far out of date software.

More information about the dns-operations mailing list