[dns-operations] CNAME at the apex breaks DNSSEC DS lookups from caches

Evan Hunt each at isc.org
Sun Apr 17 00:58:34 UTC 2022

On Sat, Apr 16, 2022 at 05:20:19PM -0400, John Levine wrote:
> It appears that Robert L Mathews <lists at tigertech.com> said:
> >The ANAME draft would have offered an immediate alternative to any DNS 
> >operator who wanted it, that worked 100% of the time, without needing 
> >any client updates. ...
> I am intrigued at the idea that browsers take a decade to update while
> DNS servers update instantly.

Agreed. Everybody's used to regular browser updates now.

I was the original author of the ANAME draft, and I thought it was a
terrible idea, and said so at the time. The only reason I wrote it was that
I believed browser vendors would remain unwilling to adopt a more sensible
alternative, and as soon as my pessimism turned out to be unfounded, I was
quite happy to drop the proposal.

Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.

More information about the dns-operations mailing list