Clarification on ALIAS records

Managed DNS Hosting
2

Hi unrelentingtech,

Thank you for your message, and welcome to deSEC! :slight_smile:

The problem with ALIAS is that it’s not actually a record type. Configuring an ALIAS record instructs the authoritative server to do a lookup of the ALIAS target whenever the name is queried, and return an A/AAAA record synthesized ad-hoc. This way, when the IP of the target changes, it is transparently taken into account.

The problem comes in when combining this with DNSSEC. In this case, the synthesized records need to be signed ad-hoc. That causes the following issues:

  1. Our globally distributed secondary nameservers don’t have any private key material, so they can’t sign the response ad-hoc. (They only have pre-signed records with fixed contents that were signed by our main server. This is by intention so that we don’t need to trust foreign jurisdictions.)
  2. One could direct all such queries to our main server for ad-hoc signing, but that would a) be very complicated, b) create a single point of failure at query time, c) significantly increase latency.
  3. We could modify our software so that our main server configures and signs A/AAAA records statically whenever an ALIAS record is configured, distributes them to the secondaries, and updates them periodically. However, this is a non-trivial development effort. Furthermore, it is not immediately clear what DNSSEC requirements should be imposed for the lookup on the main server side. If the target is not secured with DNSSEC, then we wouldn’t know if the IPs we’re looking up to configure the A/AAAA records are authentic – but we still would be signing them. That’s very misleading, as far as DNSSEC guarantees are concerned.

We have written down some of these concerns here. The feature is currently not assigned to any milestone, so it may take a while until we support it (if at all – it is unclear whether a feasible solution exists). As usual, we are short on resources; in particular we are in short supply of work force. As deSEC is a community effort, you are very welcome to take on this issue if you see a way to contribute!

This instruction is indeed not very helpful, and we should improve the wording.

Stay secure,
Peter

2 Likes