> On 16 Jan 2015, at 15:36, John <j...@klam.ca> wrote: > > DNAME will not work with DNSSEC.
Other people have already corrected this statement, but I want to point out there are situations where DNAME makes DNSSEC easier. We use it extensively in our reverse DNS to delegate 128.232.128.0/17 from one part of Cambridge to another. Instead of having 128 sub-zones from 128.232.128.in-addr.arpa to 255.232.128.in-addr.arpa, we have 128 DNAME records[*] that redirect to subdomains of the slightly weirdly named in-addr.arpa.cam.ac.uk zone. This means we only need to manage one secure delegation (which does not cross organizational boundaries) instead of 128 secure delegations (which do). [*] Actually, 127 DNAMEs and 256 CNAMEs. There is a mail server in one of the /24s and some recipient servers choke on DNAMEs when checking reverse DNS. Sigh. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
