[dns-operations] Fun with DNAME and DNSSEC
Casey Deccio
casey at deccio.net
Wed Jan 29 14:19:09 UTC 2014
On Tue, Jan 28, 2014 at 5:26 PM, Wessels, Duane <dwessels at verisign.com>wrote:
>
> On Jan 28, 2014, at 7:51 AM, Tony Finch <dot at dotat.at> wrote:
>
> > The Verisign Labs DNSSEC debugger does quite well, though it does not
> > understand that CNAME records synthesized from DNAME records do not have
> > RRSIG records.
>
>
> You should find that the Debugger now properly recognizes the DNAME record.
> It previously only used the DNAME record when the owner name was equal to
> the zone name.
>
>
DNSViz should now work too--no longer "discombobulated" :), but still slow
(needs a performance facelift). It was actually handling DNAME properly;
it just wasn't querying for PTR outside of arpa, so it wasn't following the
synthesized CNAME.
http://dnsviz.net/d/252.252.232.128.in-addr.arpa/UuiYkg/dnssec/
Note that there are two "bubbles" for CNAME because one server provided a
different TTL (0) than the others (86400), the former following RFC 2672,
and the latter following updated TTL guidelines in RFC 6672. Curiously,
for the server returning the 0 TTL, the corresponding IPv6 address (i.e.,
by the same name) returns the 86400 TTL.
Casey
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20140129/75e0249a/attachment.html>
More information about the dns-operations
mailing list