Question about DNSSEC
Mark Andrews
marka at isc.org
Thu Oct 31 22:34:36 UTC 2024
> On 1 Nov 2024, at 09:15, Bob McDonald <bmcdonaldjr at gmail.com> wrote:
>
> If a host is defined as a CNAME chain where the domain of the host is DNSSEC signed but the domain(S) of the target(s) in the CNAME chain are not, does that mean that the entry really isn't DNSSEC protected?
Correct. Every element of the chain needs to be DNSSEC signed (and validated as secure) for it to be protected.
> I can list an example dig for the host in question but I'm reluctant to do so as it's a US gov host.
>
> Please advise.
>
> Regards,
>
> Bob
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list