How to alias a domain
Casey Deccio
casey at deccio.net
Fri Jan 16 15:49:05 UTC 2015
Hi John,
On Fri, Jan 16, 2015 at 10:36 AM, John <john at klam.ca> wrote:
> DNAME will not work with DNSSEC.
>
Not true. DNAMEs enable CNAME synthesis to other domains, after which
synthesis the response works just like regular CNAME response would. The
authentication works by authenticating the DNAME (using the RRSIG covering
the DNAME). The CNAME requires to RRSIG because it is known that all names
under the DNAME are synthesized (to the target domain), which has been
proven by the existence of the DNAME record itself.
DNSSEC will try to find keys for klam.biz NOT klam.com, which results in
> DNSSEC failure.
>
>
Actually, it must try to find authentication chains for the appropriate
records in *both* klam.biz and klam.com.
http://dnsviz.net/d/www.klam.biz/VLkuUA/dnssec/
Again, this is not unlike regular (non-DNAME) out-of-zone CNAME examples,
such as:
http://dnsviz.net/d/seas-web-test.huque.com/VLkyFA/dnssec/
Cheers,
Casey
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20150116/c27fe5aa/attachment.html>
More information about the bind-users
mailing list