[dns-operations] Fun with DNAME and DNSSEC

Casey Deccio casey at deccio.net
Wed Jan 29 14:19:09 UTC 2014

On Tue, Jan 28, 2014 at 5:26 PM, Wessels, Duane <dwessels at verisign.com>wrote:

> On Jan 28, 2014, at 7:51 AM, Tony Finch <dot at dotat.at> wrote:
> > The Verisign Labs DNSSEC debugger does quite well, though it does not
> > understand that CNAME records synthesized from DNAME records do not have
> > RRSIG records.
> You should find that the Debugger now properly recognizes the DNAME record.
> It previously only used the DNAME record when the owner name was equal to
> the zone name.
DNSViz should now work too--no longer "discombobulated" :), but still slow
(needs a performance facelift).  It was actually handling DNAME properly;
it just wasn't querying for PTR outside of arpa, so it wasn't following the
synthesized CNAME.


Note that there are two "bubbles" for CNAME because one server provided a
different TTL (0) than the others (86400), the former following RFC 2672,
and the latter following updated TTL guidelines in RFC 6672.  Curiously,
for the server returning the 0 TTL, the corresponding IPv6 address (i.e.,
by the same name) returns the 86400 TTL.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20140129/75e0249a/attachment.html>

More information about the dns-operations mailing list