Implementation questions (digressing from...) / A DNAME issue

Andrew Sullivan ajs at shinkuro.com
Wed Dec 31 15:10:31 CET 2008 

On Wed, Dec 31, 2008 at 12:44:37PM +0200, Vaggelis Segredakis wrote:

> ***NOT*** the same with user at name2.gr. This seems to happen because the tree
> of name1.gr subdomains equals the tree of name2.gr subdomains below the
> initial DNAMEing level only!

Yes.  Please see the DNAME specification.  There's also a DNAME
clarification draft working its way (currently slowly, because of me)
through the DNSEXT working group.
 
> >From this you can assume that the DNAME solution proposed is not a simple
> one but instead it can lead to further problems.

It's by no means ideal.  What would obviously be ideal is to have
something that aliases everything at example.tld to otherexample.tld.
A record like this:

  example.tld 86400 IN CNAME otherexample.tld

substitutes otherexample.tld for example.tld during the CNAME
processing.  But the same is not true for a similar DNAME.  To quote
draft-ietf-dnsext-rfc2672bis-dname-14, 

> 2.3. DNAME Apex not Redirected itself


>    Unlike a CNAME RR, a DNAME RR redirects DNS names subordinate to its
>    owner name; the owner name of a DNAME is not redirected itself.  The
>    domain name that owns a DNAME record is allowed to have other
>    resource record types at that domain name, except DNAMEs or CNAMEs.
>    This means that DNAME RRs are not allowed at the parent side of a
>    delegation point but are allowed at a zone apex.

>    The reason for this decision was that one can have a DNAME at the
>    zone apex.  There still is a need to have the customary SOA and NS
>    resource records at the zone apex.  This means that DNAME does not
>    mirror a zone completely, as it does not mirror the zone apex.

>    These rules also allow DNAME records to be queried through RFC 1034
>    [RFC1034] compliant, DNAME-unaware caches.

 
> In our registry we have been using this solution knowing the problems and
> pointing them out to our registrants when they decide to set up their domain
> name zones. However, if you wish this protocol to move forward and be
> successful with the use of email as well, you should not impose on
> registries to DNAME names. Instead, it would be useful each transformation
> or mapping to exist in the protocol itself.

Nobody is imposing DNAMEs on anyone; it's merely an option available
to operators.  Note that you can have other RRs at the domain name.
Therefore, if you _really_ want to support A records at the DNAME node
name, you could bundle the DNAMEd names in your registry database
somehow, and then when the A record for one of the hostnames was
updated, you could update all of them.  I think this is ugly, but we
don't have an RRTYPE that can mirror a zone completely.  It would be
nice were there one, but there isn't, and we have to cobble together
something that will work using the parts we have.

A

-- 
Andrew Sullivan
ajs at shinkuro.com
Shinkuro, Inc.

More information about the Idna-update mailing list