Aliasing a domain any implications for DNSSEC/DANE
john at klam.ca
Sun Jan 18 13:19:01 CET 2015
On 1/17/2015 1:10 PM, Viktor Dukhovni wrote:
> On Sat, Jan 17, 2015 at 01:00:53PM -0500, John wrote:
>>> I don't see why this follows. A CNAME from a signed into another signed
>>> zone "uses DNSSEC".
>> "from a signed into another signed" neither klam.biz or .com will be in
>> themselves signed, they will inherit the signing of klam.ca.
> No such "inheriting" is possible. Each domain's DNSKEY, SOA and
> associated RRSIG records are its own.
Yep, I realized that shortly after I posted.
>> I did wonder about adding both a dname and a cname for /klam.com /might
>> Something like:
>> klam.com IN DNAME klam.ca # this handles the subtree of klam.com
>> klam.com IN CNAME klam.ca # this handles klam.com itself
> This is illegal. You cannot combine CNAME records with records
> other than RRSIG and NSEC. The DNAME is fine, but any records at
> the zone apex need to be duplicates, not CNAMEs.
> Only the ".com" registry can create a working CNAME from one .com
> domain to another.
Which leads me to the conclusion that it is not possible to have a what
I consider a true alias, that is a situation where domain_B IS domain_A.
Had I thought this through a little more thoroughly I should have
realized this. DNSSEC is designed to prevent this sort of aliasing,
after all what is a MITM attack but the presentation of domain_B as
Which in turn means that both domain_A and domain_B have to be
separately signed, even if every sub level of domain_B is in fact
provided by domain_A through a DNAME, thus allowing each domain to prove
How many of you believe in telekinesis? Raise my hand...
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4268 bytes
Desc: S/MIME Cryptographic Signature
More information about the dane-users