On Sat, Jan 17, 2015 at 01:00:53PM -0500, John wrote:
I don't see why this follows. A CNAME from a signed into another signed zone "uses DNSSEC".
"from a signed into another signed" neither klam.biz or .com will be in themselves signed, they will inherit the signing of klam.ca.
No such "inheriting" is possible. Each domain's DNSKEY, SOA and associated RRSIG records are its own.
I did wonder about adding both a dname and a cname for /klam.com /might work.
Something like:
klam.com IN DNAME klam.ca # this handles the subtree of klam.com klam.com IN CNAME klam.ca # this handles klam.com itself
This is illegal. You cannot combine CNAME records with records other than RRSIG and NSEC. The DNAME is fine, but any records at the zone apex need to be duplicates, not CNAMEs.
Only the ".com" registry can create a working CNAME from one .com domain to another.