On 16/01/2015 15:36, John wrote: > DNAME will not work with DNSSEC. > DNAME only work with the sub-tree, while DNSSEC is at the domain level. > > taking the example: > klam.biz IN DNAME klam.com > > DNSSEC will try to find keys for klam.biz NOT klam.com, which results in > DNSSEC failure.
DNAME and DNSSEC certainly do work together - take a look at http://dnsviz.net/d/www.lancaster.ac.uk/dnssec/ The klam.biz zone would need to be signed (I suppose you could use the same key material as for klam.com, but I am not sure what benefit that would bring) and biz to provide DS records, but there's nothing special there from a DNSSEC point of view. 74.116.186.178 (one of two nameservers for klam.biz) is currently returning SERVFAIL to my queries regarding klam.biz, which may be obscuring the real problem. Graham _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
