Hi John, On Fri, Jan 16, 2015 at 10:36 AM, John <j...@klam.ca> wrote:
> DNAME will not work with DNSSEC. > Not true. DNAMEs enable CNAME synthesis to other domains, after which synthesis the response works just like regular CNAME response would. The authentication works by authenticating the DNAME (using the RRSIG covering the DNAME). The CNAME requires to RRSIG because it is known that all names under the DNAME are synthesized (to the target domain), which has been proven by the existence of the DNAME record itself. DNSSEC will try to find keys for klam.biz NOT klam.com, which results in > DNSSEC failure. > > Actually, it must try to find authentication chains for the appropriate records in *both* klam.biz and klam.com. http://dnsviz.net/d/www.klam.biz/VLkuUA/dnssec/ Again, this is not unlike regular (non-DNAME) out-of-zone CNAME examples, such as: http://dnsviz.net/d/seas-web-test.huque.com/VLkyFA/dnssec/ Cheers, Casey
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
