No salvation from DNSEXT (was: Additional thoughts on TRANSITIONAL)

Andrew Sullivan ajs at shinkuro.com
Fri Dec 4 16:03:38 CET 2009 

On Fri, Dec 04, 2009 at 04:11:47AM -0800, Erik van der Poel wrote:

> However, I would encourage .de and .at registry folks to take a closer
> look at the .gr registry's claims that DNAME is not good enough for
> email, etc. If DNAME is not changed to include the root of the subtree
> or if no new xNAME is defined for that purpose, we may decide to keep
> Eszett DISALLOWED and add a mapping to ss.

I am not totally sure I yet understand precisely what the problem is
supposed to be for email -- it's not quite correct, I think, in the
details.  But there is in fact a practical problem with DNAME
(basically, if you want to resolve at the owner name of the DNAME and
not below it, you need both a  DNAME and an A or something similar at
that owner name, and that makes management awkward).

All of _that_ said, if anyone thinks that our effort should depend on
what happens over in DNSEXT with respect to some possible xNAME
RRTYPE, please disabuse yourself of that notion right now.  I don't
want to get into the details, because they're off topic for this list,
but there are three problems:

    1.  There are serious, possibly insurmountable, technical barriers
    to something that completely aliases a whole tree.  

    2.  If you think it is hard to get consensus in this WG, you
    should follow the namedroppers (or dnsop) list for a while.

    3.  If you think browsers have a long tail for universal upgrade,
    you should have a look at how long it takes to get resolvers and
    servers replaced.  (For example, EDNS0 is over ten years old, and
    penetration is still in pockets as low as 60% of the resolver
    population.  Also, it turns out, one of the most popular resolvers
    on the planet implemented it wrong.)

The concerns about ambiguity are a short-term one, and they have to be
solved in the short term.  That means that anything involving changing
the way DNS works is not part of the solution.  DNS changes take many,
many years to deploy widely, and over 10 years to deploy universally.
(I only say "over 10" because the actual time isn't yet known --
AFAIK, they _never_ get deployed universally.)

A
-- 
Andrew Sullivan
ajs at shinkuro.com
Shinkuro, Inc.

More information about the Idna-update mailing list