CNAME and other data

Mark Andrews Mark_Andrews at
Sun Jan 30 23:52:58 UTC 2005

> >>>>> "Mark" == Mark Andrews <Mark_Andrews at> writes:
>     >> There are *no* duplicates that I can find.  (It would be nice if
>     >> named would log what the conflict is)
>     Mark> 	You are trying to load a DNSSEC zone (with a CNAME) on a
>     Mark> DNSSECbis server.
>   Yes, agreed. i said that :-)
>   I would ask that maybe 9.2.x might be more clear about the reason for
> the failure to load.

	Well the only thing missing was the name with the offending
	data which is easily found by transfering the zone and running
	named-checkzone on it.

		dig @ > tmp
		named-checkzone tmp

	In general "CNAME and other data" error should be picked up on the
	master.  DNSSECbis is special as it relaxed the rules.

	I suppose we could explictly check for RRSIG/NSEC in 9.2 issue a
>   I would also ask that perhaps 9.3.x be tolerant of NXT/SIG being
> present.  I really think this is important.

	I double checked.  It should load a DNSSEC zone.  It won't generate
	the proofs however.

>   If we want DNSSEC to be incrementally deployable, then making it hard
> for people to upgrade to 9.3 is a bad idea. Making it confusing to
> some ISP why their 9.2 fails to load a zone suddendly is also bad.

	Incremental deployment would require that proofs be generated and
	validated for both DNSSEC and DNSSECbis.  BIND 9.3 does not do this.

> - -- 
> ] Michael Richardson          Xelerance Corporation, Ottawa, ON |  firewalls 
>  [
> ] mcr @           Now doing IPsec training, see   |net architec
> t[
> ]   |device drive
> r[
> ] panic("Just another Debian GNU/Linux using, kernel hacking, security guy");
>  [
> Version: GnuPG v1.2.2 (GNU/Linux)
> Comment: Finger me for keys
> iQCVAwUBQf1HaYqHRg3pndX9AQHnCwP/S+WfTPGxbivY6tfWN0yej6lKBEwtsh/+
> hqz0gDk2djtELvIfIJhVCJcitXZSzptusyR/t9mlMlHQqcgDcN+uAoeXtVhC9ADY
> +cf3Yzod2sc=
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at

More information about the bind-users mailing list