On Jul 21, 2011, at 11:43 PM, Mark Andrews wrote: >> I'm fairly convinced that in the vast majority of cases, SRV is a bad = >> idea. DNS is already too out of sync from hosts in many situations; SRV = >> just makes the situation worse. Or to put it another way, if you want = >> to give every DNS admin the ability to impose fine-grained control over = >> what all of the hosts named by his DNS zones can do, deploy SRV = >> universally. There are situations where this makes sense, but overall, = >> giving that level of control to DNS administrators is an extremely bad = >> idea. > > What a load of FUD. SRV records are no differnet to CNAME/MX records > in terms of control. We don't shy away from adding MX records for > email or CNAME records for HTTP when CNAME is used a SRV equivalent. SRV records at first glance like a straightforward generalization of MX records. But in a sense, that's the problem. One danger of SRV records is that because they are generic, people keep thinking that they should be retroactively applied to all protocols, whether it makes sense or not. This is a huge slippery slope. Not only is there a potential for SRV records to be applied to protocols for which they aren't well suited (which is to say, most protocols), but there will also be a temptation to use SRV to route traffic through NATs that do port mapping, by changing the ports on which those protocols operate from their defaults. Combine this with multi-faced DNS, so that the port that a peer uses to talk to a service will vary according to from where the DNS query was made, and you get a huge mess. A related problem is due to the tension between DNS names as hostnames, and DNS names as names for things besides hosts. DNS started out (quite deliberately) as a system for naming only hosts, and it still reflects that heritage in several ways. But people keep using it, understandably, to name services rather than hosts, or sometimes to use the same name both. When a DNS name is exclusively used to associate a name with an IP address or set of IP addresses that provide a single service, that's not a problem. But when a DNS name is used in some contexts to name a host and in other contexts to name a service, that invites problems. When people take a DNS name that is used to name a host and then add SRV records for the same name, unless it's done very carefully, that disrupts use of that DNS name to refer to the host and protocol servers at that host. For email and MX records, it didn't make such a big difference because by the time MX records were in widespread use, workstations were replacing larger multiuser machines and it became natural to want to associate several hosts with a single email server and map all of them to a single email domain. But that's a very specific use case. MX records, in practice, really don't change the behavior of a protocol or host so much as allow domain names to be used for a purpose other than to name hosts - namely to associate email addresses from that domain with one or more SMTP servers willing to receive mail for them. (Even then, the problem of MX records being out of sync with the SMTP servers does exist, and used to be a significant source of mail delivery errors.) CNAMEs are a mess for other reasons. But at least they don't give DNS admins fine-grained control over individual protocols and services. If the CNAME is screwed up, it's screwed up for everything associated with that domain. That tends to call more attention to the problem. > Note even with SRV you have fallback to A/AAAA records when no SRV > record is present. Right, but the DNS admin can blackhole or reroute traffic for your host by installing a SRV record that you don't want or that doesn't match reality. Bad architecture. There's a place for access controls and traffic filters, but it's not in DNS. Keith _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf