[dns-operations] Fun with DNAME and DNSSEC
casey at deccio.net
Wed Jan 29 14:19:09 UTC 2014
On Tue, Jan 28, 2014 at 5:26 PM, Wessels, Duane <dwessels at verisign.com>wrote:
> On Jan 28, 2014, at 7:51 AM, Tony Finch <dot at dotat.at> wrote:
> > The Verisign Labs DNSSEC debugger does quite well, though it does not
> > understand that CNAME records synthesized from DNAME records do not have
> > RRSIG records.
> You should find that the Debugger now properly recognizes the DNAME record.
> It previously only used the DNAME record when the owner name was equal to
> the zone name.
DNSViz should now work too--no longer "discombobulated" :), but still slow
(needs a performance facelift). It was actually handling DNAME properly;
it just wasn't querying for PTR outside of arpa, so it wasn't following the
Note that there are two "bubbles" for CNAME because one server provided a
different TTL (0) than the others (86400), the former following RFC 2672,
and the latter following updated TTL guidelines in RFC 6672. Curiously,
for the server returning the 0 TTL, the corresponding IPv6 address (i.e.,
by the same name) returns the 86400 TTL.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the dns-operations