CNAMEs and DNSSEC?
Kevin Darcy
kcd at daimlerchrysler.com
Tue Jun 19 22:51:02 UTC 2001
Michael Kjorling wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I was thinking about how to DNSSEC'ify my domains - which isn't as
> trivial as one might think. As we all know, a CNAME makes it illegal
> to have any other records associated to that name (e.g. a MX RR). Only
> one problem. To make managing my domains easier, I have gone from
> using A RRs more or less exclusively to heavy use of CNAMEs. So far so
> good. But how do you implement DNSSEC with these, requiring the NXT
> records?
>
> Any ideas on how to solve this dilemma? Is it even possible?
>
> I'm running BIND 9 so "CNAME and other data" is a fatal error. Don't
> even try suggesting that. And the CNAMEs point out of the zone in many
> cases, too, making it even worse.
Don't worry, be happy! The DNSSEC record types (SIG, NXT and KEY) are a
special case with respect to the "CNAME and other data" rule (see
RFC 2181 Section 10.1).
- Kevin
More information about the bind-users
mailing list