On Fri, Jan 16, 2015 at 11:59:41AM -0500, John wrote:
this is about half of my original message, it looks as though the moths have been at it.
That's a relief, at least you tried to give us some context! :-)
### My original message###
I have three domains two of which are effectively aliases for the other (klam.ca --> klam.biz and klam.com).
++++ poorly expressed klam.ca is my main domain, I would like the other two to be aliases.
Note at least in some cases, registrars create aliases between domains, these can even be DNSSEC validated:
$ dig +ad +noall +comment +ans -t mx nic.li. ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16620 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; ANSWER SECTION: nic.li. 3599 IN CNAME switch.ch. switch.ch. 86400 IN MX 10 presunto.switch.ch. switch.ch. 86400 IN MX 20 jinhua.switch.ch. switch.ch. 86400 IN MX 20 bresaola.switch.ch. switch.ch. 86400 IN MX 10 elenski.switch.ch.
Though I must admit I don't know what it takes to register a domain as an alias to another rather than as a separate zone.
Currently all three zones are DNSSEC signed, klam.ca has TLSA records for things like the email system and some web services. I would like to setup domain aliases klam.biz and klam.com.
I originally thought of using DNAME records for the domain aliases and cname records for the TLSA records.
Go ahead and do that.
But for this to work I would need to enable recursion on the authoritative server. I understand that for very good reasons this is considered a very bad idea., therefor I wont go in this direction.
I don't think so. Any required recursion will be done by resolvers and applications.
++++ I had this wrong, recursion is not needed.
Correct, not in the sense of allowing recursive DNS queries.
As an alternative I am considering is using the same zone file for all three zones. I assume that I would need to turn off maintain and inline for the alias zones (klam.biz and klam.ca). But this should mean that I only have maintain one zone file for all three domains.
Using a single source file may work, but the DNSKEY, RRSIG and NSEC3 records have to be external to that file (as with auto-maintain in BIND) and merged in as part of building the signed zones.
BIND 9.10.1 or 9.9.6 or later should be able to do this, and avoid aliases if all three zones are intended to look identical, but this requires some careful analysis to make sure you never need any non-DNSSEC differences of any kind.
Is this the "best" way of aliasing? What gotchas should I be aware of?
Use CNAME and/or DNAME to alias either single domain name or sub-trees as you see fit.