[dns-operations] Any DNAME usage experience?

John Levine johnl at taugh.com
Sun Mar 29 20:15:07 UTC 2020


In article <20200329191324.GI41308 at straasha.imrryr.org> you write:
>On Sun, Mar 29, 2020 at 12:35:15PM -0400, John Levine wrote:
>
>> I have to say that at this point my advice is don't bother.  Whatever
>> problem you hope DNAMEs will solve, they won't.
>
>I see some administrators succesfully using DNAMEs to retarget
>the entire "_tcp" subtree of a set of hosts to a common location.
>
>Something along the lines of:
>
>    _tcp.mail1.example.com. IN DNAME _dane.example.com.
>    _tcp.mail2.example.com. IN DNAME _dane.example.com.
>    _tcp.mail3.example.com. IN DNAME _dane.example.com.
>    *._dane.example.com IN TLSA 2 1 1 ...
>
>This works fine.

I suppose, although for this application, wouldn't this work just as well?

    *._tcp.mail1.example.com. IN CNAME _dane.example.com.
    *._tcp.mail2.example.com. IN CNAME _dane.example.com.
    *._tcp.mail3.example.com. IN CNAME _dane.example.com.
    _dane.example.com IN TLSA 2 1 1 ...

I can see that if you had both mail and web with _25 and _443 TLSA,
DNAME might be a little easier to set up.




More information about the dns-operations mailing list