[dns-operations] DNSSEC on host listed in MNAME

[Peter Koch]

Hi Alex,

> i've been trying to find guidance whether or not the host listed in the MNAME field of the SOA record is required to have the respective zone signed (when it is signed on the authoritative servers, and a secure delegation exists at the parent)? I understand the MNAME host is not queried under normal operational circumstances, but is there any formal text?

the formal parts can be found in RFCs 1996 (NOTIFY), 2136 (Dynamic Update),
and 2181 (section 7.3).  None of these suggest that standard queries be sent
to that server (at least not as per its appearance in the MNAME field)
or should expect standard responses.

> This situation obviously arises in situations where "bump in the wire"-signing between a customers own nameserver and an external nameserver network is used..

RFC 4641, section 3.6, mentions a scenario remotely related to yours.
The corresponding section in the updated version RFC 6781, no longer
explicitly refers to the MNAME, though.  However, if you do apply a
"bump in the wire" solution, at least the SOA serial needs some
special attention anyway and in can be argued that the identity
of the zone shifts, i.e., the primary master (staying with the
singular for the ease of argument) of the signed instance of the
zone is what's "bumped" into the wire.  Is this a compliance dance or
would it cause ops issues?

-Peter