Breaking up a class for delegation

Mark Andrews Mark_Andrews at
Wed Sep 26 01:11:16 UTC 2007

> 	I'm led to believe that a resolver can't properly support DNSSEC
> 	unless it supports DNAME.  I haven't fully understood the argument,
> 	but understand that some unacceptable corner cases arise otherwise.

	The synthesized CNAME is unsigned. To be validate the CNAME
	you need to be able to validate the DNAME and understand what it
	does.  In practice DNAME aware resolvers ignore the CNAME and
	just regenerate it when required using the DNAME.
> 	/Niall
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at

More information about the bind-users mailing list