<div dir="ltr"><div dir="ltr"><div class="gmail_default" style="font-family:arial black,sans-serif;color:#073763">Greetings all</div><div class="gmail_default" style="font-family:arial black,sans-serif;color:#073763"><br></div><div class="gmail_default" style="font-family:arial black,sans-serif;color:#073763">Thank you for responding, that's very kind.</div><div class="gmail_default" style="font-family:arial black,sans-serif;color:#073763">As some of the consideration are less relevant, with your permission I will refine my question:</div><div class="gmail_default" style="font-family:arial black,sans-serif;color:#073763"><br></div><div class="gmail_default" style="font-family:arial black,sans-serif;color:#073763">We are looking into implementing IDN zones (finally..) <br></div><div class="gmail_default" style="font-family:arial black,sans-serif;color:#073763">The IDN will be a mirror of an existing SLD (we are one of the few registries still using SLDs. No registrations under the ccTLD. yet..)</div><div class="gmail_default" style="font-family:arial black,sans-serif;color:#073763"></div><div class="gmail_default" style="font-family:arial black,sans-serif;color:#073763"><br></div><div class="gmail_default" style="font-family:arial black,sans-serif;color:#073763"> </div><div class="gmail_default" style="font-family:arial black,sans-serif;color:#073763">So if I take for example the "<a href="http://co.il">co.il</a>" domain:</div><div class="gmail_default" style="font-family:arial black,sans-serif;color:#073763">- It holds few hundred K delegations<br></div><div class="gmail_default" style="font-family:arial black,sans-serif;color:#073763">- It holds only delegations. No MX, etc..<br></div><div class="gmail_default" style="font-family:arial black,sans-serif;color:#073763">- It is dnssec signed, so will be the IDN<br></div><div class="gmail_default" style="font-family:arial black,sans-serif;color:#073763">- Obviously resolver compliance is very important (Knot support is questionable?)<br></div><div class="gmail_default" style="font-family:arial black,sans-serif;color:#073763"><br></div><div class="gmail_default" style="font-family:arial black,sans-serif;color:#073763"> it's new sibling would be: xn--mebbq.xn--4dbrk0ce</div><div class="gmail_default" style="font-family:arial black,sans-serif;color:#073763"><br></div><div class="gmail_default" style="font-family:arial black,sans-serif;color:#073763">The immediate question is of course to consider the "out of the box" DNAME solution .</div><div class="gmail_default" style="font-family:arial black,sans-serif;color:#073763"></div><div class="gmail_default" style="font-family:arial black,sans-serif;color:#073763"></div><div class="gmail_default" style="font-family:arial black,sans-serif;color:#073763">I saw few notes from other registries dealing with this (cn & JP for example), but couldn't find definitive conclusions, mainly due to the fact that these were quite old.</div><div class="gmail_default" style="font-family:arial black,sans-serif;color:#073763"><br></div><div class="gmail_default" style="font-family:arial black,sans-serif;color:#073763">From what I read in the responses it looks like DNAME is still not ready for the task. <br></div><div class="gmail_default" style="font-family:arial black,sans-serif;color:#073763">Or am I wrong?<br></div><div class="gmail_default" style="font-family:arial black,sans-serif;color:#073763"><br></div><div class="gmail_default" style="font-family:arial black,sans-serif;color:#073763">Thanks again!</div><div class="gmail_default" style="font-family:arial black,sans-serif;color:#073763"><br></div><div class="gmail_default" style="font-family:arial black,sans-serif;color:#073763"><br></div><div class="gmail_default" style="font-family:arial black,sans-serif;color:#073763"><br></div><div class="gmail_default" style="font-family:arial black,sans-serif;color:#073763"> <br></div><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, 30 Mar 2020 at 07:12, Brian Somers <<a href="mailto:bsomers@opendns.com">bsomers@opendns.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">A few interesting things about DNAMES:<br>
<br>
* For unsigned zones, resolvers don’t have to do anything, but the DNAME itself can break<br>
- The synthesized CNAME makes the resolver “just work”<br>
- RFC 3597 section 7 says that resolvers MUST uncompress DNAMEs. If they don’t, they may serve corrupt RRs<br>
So a nameserver that serves compressed DNAMEs must be “fixed” by the resolver.<br>
* For signed zones three things can break<br>
- RFC 4034 section 6.2 explicitly says that DNAMEs must be lowercased before their signatures are validated<br>
- Synthesized CNAMEs are not signed, so resolvers have to use the DNAME to validate the CNAME.<br>
The DNAME must be signed and it must dictate the target of the CNAME<br>
<br>
Our (OpenDNS/Umbrella) resolver ignored DNAMEs up until recently. The current release running in production gets just about all of the above wrong :(. FWIW, the next release (just waiting to go out!) fixes all of the above!<br>
<br>
—<br>
Brian<br>
<br>
> On Mar 29, 2020, at 4:23 AM, Meir Kraushar via dns-operations <<a href="mailto:dns-operations@dns-oarc.net" target="_blank">dns-operations@dns-oarc.net</a>> wrote:<br>
> <br>
> <br>
> From: Meir Kraushar <<a href="mailto:meir@isoc.org.il" target="_blank">meir@isoc.org.il</a>><br>
> Subject: Any DNAME usage experience?<br>
> Date: March 29, 2020 at 4:23:29 AM PDT<br>
> To: <a href="mailto:dns-operations@lists.dns-oarc.net" target="_blank">dns-operations@lists.dns-oarc.net</a><br>
> <br>
> <br>
> Hi <br>
> <br>
> I looking for insights, usage experience regarding DNAME record implementation.<br>
> If any compatibility issues, client side problems, resolvers etc?..<br>
> Highly apperciate If anyone could share their knowledge.<br>
> <br>
> Take care and stay safe.<br>
> Thank you!<br>
> <br>
> <br>
> <br>
> _______________________________________________<br>
> dns-operations mailing list<br>
> <a href="mailto:dns-operations@lists.dns-oarc.net" target="_blank">dns-operations@lists.dns-oarc.net</a><br>
> <a href="https://lists.dns-oarc.net/mailman/listinfo/dns-operations" rel="noreferrer" target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-operations</a><br>
<br>
</blockquote></div></div>