<div dir="ltr">we all said symlinks were a bad idea when Berkeley did them. We also all use them. The properties OF the symlink matter more than people realize, because 99% of the time, they care about the properties of the object pointed to by the symlink.<div>
<br></div><div>when Sun added ${symbolic} expansion on the fly to symlinks we all said it was a bad idea.. I dont think many of us use that any more much.</div><div><br></div><div>oh sorry: did I say symlink? I meant CNAME. Morally, the DNSSEC sigs over the CNAME are like the properties of the symlink. All the rest is about the target.</div>
<div><br></div><div><br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Aug 7, 2014 at 10:06 AM, Andrew Sullivan <span dir="ltr"><<a href="mailto:ajs@anvilwalrusden.com" target="_blank">ajs@anvilwalrusden.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="">On Thu, Aug 07, 2014 at 07:51:53AM +1000, Mark Andrews wrote:<br>
> Those with developers that don't read RFC 1034 which tried to prevent<br>
> this from happening.<br>
<br>
</div>You're probably right. But of course, RFC 1034 was written a number<br>
of years ago, and some of the protocol-specification language that<br>
later became well-understood isn't used in it. In particular,<br>
<div class=""><br>
> RR. If a CNAME RR is present at a node, no other data should be<br>
> present; this ensures that the data for a canonical name and its aliases<br>
> cannot be different.<br>
<br>
</div>this makes it sound like "nothing at a CNAME but a CNAME is a good<br>
idea" instead of "if you have a CNAME, that means by definition<br>
nothing else can be there." To a naïve reader, the text above might<br>
read as, "You shouldn't do this, but you could. But it'd have a bad<br>
consequence, and you don't want that, right?" What it should say, of<br>
course, is more like, "CNAME just means that the name you looked up is<br>
actually some other name, therefore there MUST be no other data at the<br>
owner name of a CNAME." Something like that.<br>
<br>
I've talked to people who've been facile with the DNS for a number of<br>
years, who didn't get that this wasn't some arbitrary rule, but was<br>
the very meaning of "canonical name". If you explain it, the lights<br>
always go on. But RFC 1034 does a poor job of explaining it.<br>
<div class="HOEnZb"><div class="h5"><br>
Best regards,<br>
<br>
A<br>
<br>
--<br>
Andrew Sullivan<br>
<a href="mailto:ajs@anvilwalrusden.com">ajs@anvilwalrusden.com</a><br>
_______________________________________________<br>
dns-operations mailing list<br>
<a href="mailto:dns-operations@lists.dns-oarc.net">dns-operations@lists.dns-oarc.net</a><br>
<a href="https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs" target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-operations<br>
dns-jobs</a> mailing list<br>
<a href="https://lists.dns-oarc.net/mailman/listinfo/dns-jobs" target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-jobs</a></div></div></blockquote></div><br></div>