Aliasing a domain any implications for DNSSEC/DANE

Viktor Dukhovni ietf-dane at
Sat Jan 17 18:31:41 CET 2015

On Sat, Jan 17, 2015 at 09:11:19AM -0500, John wrote:

> >Using a single source file may work, but the DNSKEY, RRSIG and
> >NSEC3 records have to be external to that file (as with auto-maintain
> >in BIND) and merged in as part of building the signed zones.
> They already are, as I am using maintain and inline signing.

In that case, with care, you should be able to get away with a
single source file for multiple domains.

> >BIND 9.10.1 or 9.9.6 or later should be able to do this, and avoid
> >aliases if all three zones are intended to look identical, but this
> >requires some careful analysis to make sure you never need any
> >non-DNSSEC differences of any kind.

[ I meant "avoid the need for aliases", rather than "avoid aliases".
  Aliases are fine. ]

> The only down side that I see is that the aliases will not themselves be
> using DNSSEC. I am not sure this matters as "real" services will.

I don't see why this follows.  A CNAME from a signed into another signed
zone "uses DNSSEC".


More information about the dane-users mailing list