Aliasing a domain any implications for DNSSEC/DANE
Viktor Dukhovni
ietf-dane at dukhovni.org
Sat Jan 17 18:31:41 CET 2015
On Sat, Jan 17, 2015 at 09:11:19AM -0500, John wrote:
> >Using a single source file may work, but the DNSKEY, RRSIG and
> >NSEC3 records have to be external to that file (as with auto-maintain
> >in BIND) and merged in as part of building the signed zones.
>
> They already are, as I am using maintain and inline signing.
In that case, with care, you should be able to get away with a
single source file for multiple domains.
> >BIND 9.10.1 or 9.9.6 or later should be able to do this, and avoid
> >aliases if all three zones are intended to look identical, but this
> >requires some careful analysis to make sure you never need any
> >non-DNSSEC differences of any kind.
[ I meant "avoid the need for aliases", rather than "avoid aliases".
Aliases are fine. ]
> The only down side that I see is that the aliases will not themselves be
> using DNSSEC. I am not sure this matters as "real" services will.
I don't see why this follows. A CNAME from a signed into another signed
zone "uses DNSSEC".
--
Viktor.
More information about the dane-users
mailing list