Aliasing a domain any implications for DNSSEC/DANE

Viktor Dukhovni ietf-dane at
Sat Jan 17 19:10:49 CET 2015

On Sat, Jan 17, 2015 at 01:00:53PM -0500, John wrote:

> >I don't see why this follows.  A CNAME from a signed into another signed
> >zone "uses DNSSEC".
> "from a signed into another signed" neither or .com will be in
> themselves signed, they will inherit the signing of

No such "inheriting" is possible.  Each domain's DNSKEY, SOA and
associated RRSIG records are its own.

> I did wonder about adding both a dname and a  cname for / /might
> work.
> Something like:
>    IN DNAME    # this handles the subtree of
>    IN CNAME    # this handles itself

This is illegal.  You cannot combine CNAME records with records
other than RRSIG and NSEC.  The DNAME is fine, but any records at
the zone apex need to be duplicates, not CNAMEs.

Only the ".com" registry can create a working CNAME from one .com
domain to another.


More information about the dane-users mailing list