Aliasing a domain any implications for DNSSEC/DANE

Viktor Dukhovni ietf-dane at dukhovni.org
Fri Jan 16 18:17:24 CET 2015 

On Fri, Jan 16, 2015 at 11:59:41AM -0500, John wrote:

> this is about half of my original message, it looks as though the moths have
> been at it.

That's a relief, at least you tried to give us some context! :-)

> ### My original message###
> 
> I have three domains two of which are effectively aliases for the other
> (klam.ca --> klam.biz and klam.com).
> 
> ++++ poorly expressed klam.ca is my main domain, I would like the other two
> to be aliases.

Note at least in some cases, registrars create aliases between domains,
these can even be DNSSEC validated:

    $ dig +ad +noall +comment +ans -t mx nic.li.
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16620
    ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; ANSWER SECTION:
    nic.li.                 3599    IN      CNAME   switch.ch.
    switch.ch.              86400   IN      MX      10 presunto.switch.ch.
    switch.ch.              86400   IN      MX      20 jinhua.switch.ch.
    switch.ch.              86400   IN      MX      20 bresaola.switch.ch.
    switch.ch.              86400   IN      MX      10 elenski.switch.ch.

Though I must admit I don't know what it takes to register a domain
as an alias to another rather than as a separate zone.

> Currently all three zones are DNSSEC signed, klam.ca has TLSA records for
> things like the email  system and some web services.
> I would like to setup domain aliases  klam.biz and klam.com.
> 
> I originally thought of using DNAME records for the domain aliases and cname
> records for the TLSA records.

Go ahead and do that.

> But for this to work I would need  to enable recursion on the authoritative
> server. I understand that for very good reasons this is considered a very
> bad idea., therefor I wont go in this direction.

I don't think so.  Any required recursion will be done by resolvers
and applications.

> ++++ I had this wrong, recursion is not needed.

Correct, not in the sense of allowing recursive DNS queries.

> As an alternative I am considering is using the same zone file for all three
> zones. I assume that I would need to turn off maintain and inline for the
> alias zones (klam.biz and klam.ca).
> But this should mean that I only have maintain one zone file for all three
> domains.

Using a single source file may work, but the DNSKEY, RRSIG and
NSEC3 records have to be external to that file (as with auto-maintain
in BIND) and merged in as part of building the signed zones.

BIND 9.10.1 or 9.9.6 or later should be able to do this, and avoid
aliases if all three zones are intended to look identical, but this
requires some careful analysis to make sure you never need any
non-DNSSEC differences of any kind.

> Is this the "best" way of  aliasing? What gotchas should I be aware of?

Use CNAME and/or DNAME to alias either single domain name or
sub-trees as you see fit.

-- 
	Viktor.

More information about the dane-users mailing list