John C Klensin
klensin at jck.com
Fri Dec 4 22:05:43 CET 2009
--On Friday, December 04, 2009 15:08 -0500 Andrew Sullivan
<ajs at shinkuro.com> wrote:
> On Fri, Dec 04, 2009 at 07:48:36PM +0000, Shawn Steele wrote:
>> It was stated that DNAME doesn't solve mail.
> Yes, but as I pointed out, I don't know why it doesn't.
> WARNING: DNS mumbo-jumbo below:
> Suppose you have dname-example.com and example.com:
> www.example.com IN A 192.0.2.5
> dname-example.com IN DNAME example.com
> Now, if you look up www.dname-example.com, you get back an
> answer with a DNAME or synthetic CNAME (or both) that gets you
> to 192.0.2.5.
Let me add one thing to your explanation. There are some
applications that believe that it should be possible to get
something back that matches when they do
QTYPE=PTR, QNAME= 18.104.22.168.in-addr.arpa.
One can argue they shouldn't. One can argue that placing
reliance on those records for some of the purposes for which
they are relied upon is dumb and that one should not expect it
to work. But it is used and I note that the various DNS WGs
have never been able to get consensus on deprecating the
capability and that the various security WGs have never been
able to get consensus on documents that would strongly advise
against use of tests on reverse-mapping as a security technique.
Getting the above query to return all of the names in the same
zone that have A RRs of 192.0.2.5 is just a matter of
management. In the general case, getting it to return all of
the names that might have alias targets that ultimately point to
that address is effectively impossible.
More information about the Idna-update