Breaking up a class for delegation
Mark Andrews
Mark_Andrews at isc.org
Wed Sep 26 01:11:16 UTC 2007
> I'm led to believe that a resolver can't properly support DNSSEC
> unless it supports DNAME. I haven't fully understood the argument,
> but understand that some unacceptable corner cases arise otherwise.
The synthesized CNAME is unsigned. To be validate the CNAME
you need to be able to validate the DNAME and understand what it
does. In practice DNAME aware resolvers ignore the CNAME and
just regenerate it when required using the DNAME.
> /Niall
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list