On Fri, Jan 16, 2015 at 08:35:11AM -0500, John wrote:
I originally thought of using dname records for the domain aliases and cname records for the TLSA records.
You seem to be adding the list into the middle of a conversation. Can you start at the beginning. What are you trying to achieve? Be specific.
But for this to work I would need to enable recursion on the authoritative server. I understand that for very good reasons this is considered a very bad idea., therefor I wont go in this direction.
Again, what are you talking about? There are in fact valid deployments in which CNAME and DNAME records are used for TLSA records in the same way they work for any other DNS RRtype.
CNAMEs are specifically recommended for certificate usage DANE-TA(2) configurations where the organization's issuing CA TLSA RRs are kept in one place, and CNAME aliases point there from multiple hosts.
https://tools.ietf.org/html/draft-ietf-dane-ops-07#section-5.2
When a host is an alias to another host, the same draft suggests that its TLSA records should automatically be sought there and this is required by the SMTP DANE draft. So you don't need to do anything special for that. However you can also:
www.example.com. IN CNAME cdn.example.net. _tcp.www.example.com. IN DNAME _tcp.cdn.example.net.
As an alternative I a considering using the same zone file for all three zones.
I don't see how this changes much of anything.
I assume that I should only have maintain and inline on the main domain domain entry in bind. Is this the "best" way of aliasing? What gotchas should I be aware of?
The first gotcha is that we are not mind readers, and you should explain with some specificity what problem you're trying to solve.