Aliasing a domain any implications for DNSSEC/DANE
Viktor Dukhovni
ietf-dane at dukhovni.org
Sat Jan 17 19:10:49 CET 2015
On Sat, Jan 17, 2015 at 01:00:53PM -0500, John wrote:
> >I don't see why this follows. A CNAME from a signed into another signed
> >zone "uses DNSSEC".
>
> "from a signed into another signed" neither klam.biz or .com will be in
> themselves signed, they will inherit the signing of klam.ca.
No such "inheriting" is possible. Each domain's DNSKEY, SOA and
associated RRSIG records are its own.
> I did wonder about adding both a dname and a cname for /klam.com /might
> work.
>
> Something like:
>
> klam.com IN DNAME klam.ca # this handles the subtree of klam.com
> klam.com IN CNAME klam.ca # this handles klam.com itself
This is illegal. You cannot combine CNAME records with records
other than RRSIG and NSEC. The DNAME is fine, but any records at
the zone apex need to be duplicates, not CNAMEs.
Only the ".com" registry can create a working CNAME from one .com
domain to another.
--
Viktor.
More information about the dane-users
mailing list