[dns-operations] Any DNAME usage experience?

Brian Somers bsomers at opendns.com
Mon Mar 30 04:11:22 UTC 2020


A few interesting things about DNAMES:

* For unsigned zones, resolvers don’t have to do anything, but the DNAME itself can break
  - The synthesized CNAME makes the resolver “just work”
  - RFC 3597 section 7 says that resolvers MUST uncompress DNAMEs.  If they don’t, they may serve corrupt RRs
    So a nameserver that serves compressed DNAMEs must be “fixed” by the resolver.
* For signed zones three things can break
  - RFC 4034 section 6.2 explicitly says that DNAMEs must be lowercased before their signatures are validated
  - Synthesized CNAMEs are not signed, so resolvers have to use the DNAME to validate the CNAME.
    The DNAME must be signed and it must dictate the target of the CNAME

Our (OpenDNS/Umbrella) resolver ignored DNAMEs up until recently.  The current release running in production gets just about all of the above wrong :(. FWIW, the next release (just waiting to go out!) fixes all of the above!

—
Brian

> On Mar 29, 2020, at 4:23 AM, Meir Kraushar via dns-operations <dns-operations at dns-oarc.net> wrote:
> 
> 
> From: Meir Kraushar <meir at isoc.org.il>
> Subject: Any DNAME usage experience?
> Date: March 29, 2020 at 4:23:29 AM PDT
> To: dns-operations at lists.dns-oarc.net
> 
> 
> Hi 
> 
> I looking for insights, usage experience regarding DNAME record implementation.
> If any compatibility issues, client side problems, resolvers etc?..
> Highly apperciate If anyone could share their knowledge.
> 
> Take care and stay safe.
> Thank you!
> 
> 
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations




More information about the dns-operations mailing list