In article <20200329191324.gi41...@straasha.imrryr.org> you write: >On Sun, Mar 29, 2020 at 12:35:15PM -0400, John Levine wrote: > >> I have to say that at this point my advice is don't bother. Whatever >> problem you hope DNAMEs will solve, they won't. > >I see some administrators succesfully using DNAMEs to retarget >the entire "_tcp" subtree of a set of hosts to a common location. > >Something along the lines of: > > _tcp.mail1.example.com. IN DNAME _dane.example.com. > _tcp.mail2.example.com. IN DNAME _dane.example.com. > _tcp.mail3.example.com. IN DNAME _dane.example.com. > *._dane.example.com IN TLSA 2 1 1 ... > >This works fine.
I suppose, although for this application, wouldn't this work just as well? *._tcp.mail1.example.com. IN CNAME _dane.example.com. *._tcp.mail2.example.com. IN CNAME _dane.example.com. *._tcp.mail3.example.com. IN CNAME _dane.example.com. _dane.example.com IN TLSA 2 1 1 ... I can see that if you had both mail and web with _25 and _443 TLSA, DNAME might be a little easier to set up. _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations