CNAMEs and DNSSEC?

Michael Kjorling michael at kjorling.com
Tue Jun 19 22:14:53 UTC 2001


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I was thinking about how to DNSSEC'ify my domains - which isn't as
trivial as one might think. As we all know, a CNAME makes it illegal
to have any other records associated to that name (e.g. a MX RR). Only
one problem. To make managing my domains easier, I have gone from
using A RRs more or less exclusively to heavy use of CNAMEs. So far so
good. But how do you implement DNSSEC with these, requiring the NXT
records?

Any ideas on how to solve this dilemma? Is it even possible?

I'm running BIND 9 so "CNAME and other data" is a fatal error. Don't
even try suggesting that. And the CNAMEs point out of the zone in many
cases, too, making it even worse.


Michael Kjörling

- --
Michael Kjörling - michael at kjorling.com - PGP: 8A70E33E
"We must be the change we wish to see" (Mahatma Gandhi)

^..^     Support the wolves in Norway -- go to     ^..^
 \/   http://home.no.net/ulvelist/protest_int.htm   \/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7L87hKqN7/Ypw4z4RAmB1AKC8Q3mS4rnwgf6Lfwpf7WaULu9SjQCbBmgB
ouFMCOeCivvdrFrcmUlls3A=
=kW/j
-----END PGP SIGNATURE-----




More information about the bind-users mailing list