Aliasing a domain any implications for DNSSEC/DANE
Viktor Dukhovni
ietf-dane at dukhovni.org
Fri Jan 16 16:35:29 CET 2015
On Fri, Jan 16, 2015 at 08:35:11AM -0500, John wrote:
> I originally thought of using dname records for the domain aliases and cname
> records for the TLSA records.
You seem to be adding the list into the middle of a conversation. Can you
start at the beginning. What are you trying to achieve? Be specific.
> But for this to work I would need to enable recursion on the authoritative
> server. I understand that for very good reasons this is considered a very
> bad idea., therefor I wont go in this direction.
Again, what are you talking about? There are in fact valid
deployments in which CNAME and DNAME records are used for TLSA
records in the same way they work for any other DNS RRtype.
CNAMEs are specifically recommended for certificate usage DANE-TA(2)
configurations where the organization's issuing CA TLSA RRs are kept
in one place, and CNAME aliases point there from multiple hosts.
https://tools.ietf.org/html/draft-ietf-dane-ops-07#section-5.2
When a host is an alias to another host, the same draft
suggests that its TLSA records should automatically be sought there
and this is required by the SMTP DANE draft. So you don't need to
do anything special for that. However you can also:
www.example.com. IN CNAME cdn.example.net.
_tcp.www.example.com. IN DNAME _tcp.cdn.example.net.
> As an alternative I a considering using the same zone file for all three
> zones.
I don't see how this changes much of anything.
> I assume that I should only have maintain and inline on the main domain
> domain entry in bind.
> Is this the "best" way of aliasing? What gotchas should I be aware of?
The first gotcha is that we are not mind readers, and you should
explain with some specificity what problem you're trying to solve.
--
Viktor.
More information about the dane-users
mailing list