Aliasing a domain any implications for DNSSEC/DANE

John john at
Sat Jan 17 19:00:53 CET 2015

On 1/17/2015 12:31 PM, Viktor Dukhovni wrote:
>> The only down side that I see is that the aliases will not themselves be
>> using DNSSEC. I am not sure this matters as "real" services will.
> I don't see why this follows.  A CNAME from a signed into another signed
> zone "uses DNSSEC".
"from a signed into another signed" neither or .com will be in 
themselves signed, they will inherit the signing of
I did wonder about adding both a dname and a  cname for / /might 

Something like:    IN DNAME    # this handles the subtree of    IN CNAME    # this handles itself

I have not tried it and my guess is that if it even passes validity 
checks it will produce unexpected consequences.
In the mean time I will stick to the single zone file for the moment.
Thanks on and all
John Allen
How many of you believe in telekinesis? Raise my hand...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4268 bytes
Desc: S/MIME Cryptographic Signature
URL: <>

More information about the dane-users mailing list