[dns-operations] DNSSEC on host listed in MNAME

Tony Finch dot at dotat.at
Tue Dec 23 10:28:18 UTC 2014

Alexander Mayrhofer <alexander.mayrhofer at nic.at> wrote:
> i've been trying to find guidance whether or not the host listed in the
> MNAME field of the SOA record is required to have the respective zone
> signed (when it is signed on the authoritative servers, and a secure
> delegation exists at the parent)?

I believe it is not required.

> I understand the MNAME host is not queried under normal operational
> circumstances, but is there any formal text?

The MNAME host is often used for UPDATE requests.

I agree with you that it is reasonable to have a setup where there is a
bump-in-the-wire signer between the MNAME server and the public
authoritative servers.

f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
South German Bight, Humber, Thames, Dover, Wight: Southwesterly 6 to gale 8.
Rough or very rough. Occasional rain. Moderate or good.

More information about the dns-operations mailing list