[dns-operations] CNAME at the apex breaks DNSSEC DS lookups from caches
Evan Hunt
each at isc.org
Sun Apr 17 00:58:34 UTC 2022
On Sat, Apr 16, 2022 at 05:20:19PM -0400, John Levine wrote:
> It appears that Robert L Mathews <lists at tigertech.com> said:
> >The ANAME draft would have offered an immediate alternative to any DNS
> >operator who wanted it, that worked 100% of the time, without needing
> >any client updates. ...
>
> I am intrigued at the idea that browsers take a decade to update while
> DNS servers update instantly.
Agreed. Everybody's used to regular browser updates now.
I was the original author of the ANAME draft, and I thought it was a
terrible idea, and said so at the time. The only reason I wrote it was that
I believed browser vendors would remain unwilling to adopt a more sensible
alternative, and as soon as my pessimism turned out to be unfounded, I was
quite happy to drop the proposal.
--
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.
More information about the dns-operations
mailing list