[dns-operations] DNSSEC on host listed in MNAME
dot at dotat.at
Tue Dec 23 10:28:18 UTC 2014
Alexander Mayrhofer <alexander.mayrhofer at nic.at> wrote:
> i've been trying to find guidance whether or not the host listed in the
> MNAME field of the SOA record is required to have the respective zone
> signed (when it is signed on the authoritative servers, and a secure
> delegation exists at the parent)?
I believe it is not required.
> I understand the MNAME host is not queried under normal operational
> circumstances, but is there any formal text?
The MNAME host is often used for UPDATE requests.
I agree with you that it is reasonable to have a setup where there is a
bump-in-the-wire signer between the MNAME server and the public
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
South German Bight, Humber, Thames, Dover, Wight: Southwesterly 6 to gale 8.
Rough or very rough. Occasional rain. Moderate or good.
More information about the dns-operations