Aliasing a domain any implications for DNSSEC/DANE
John
john at klam.ca
Sat Jan 17 19:00:53 CET 2015
On 1/17/2015 12:31 PM, Viktor Dukhovni wrote:
>
>> The only down side that I see is that the aliases will not themselves be
>> using DNSSEC. I am not sure this matters as "real" services will.
> I don't see why this follows. A CNAME from a signed into another signed
> zone "uses DNSSEC".
>
"from a signed into another signed" neither klam.biz or .com will be in
themselves signed, they will inherit the signing of klam.ca.
I did wonder about adding both a dname and a cname for /klam.com /might
work.
Something like:
klam.com IN DNAME klam.ca # this handles the subtree of klam.com
klam.com IN CNAME klam.ca # this handles klam.com itself
I have not tried it and my guess is that if it even passes validity
checks it will produce unexpected consequences.
In the mean time I will stick to the single zone file for the moment.
Thanks on and all
--
John Allen
KLaM
------------------------------------------
How many of you believe in telekinesis? Raise my hand...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.sys4.de/cgi-bin/mailman/private/dane-users/attachments/20150117/3991dfea/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4268 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://mail.sys4.de/cgi-bin/mailman/private/dane-users/attachments/20150117/3991dfea/attachment-0001.bin>
More information about the dane-users
mailing list