On 1/17/2015 12:31 PM, Viktor Dukhovni wrote:
The only down side that I see is that the aliases will not themselves be using DNSSEC. I am not sure this matters as "real" services will.
I don't see why this follows. A CNAME from a signed into another signed zone "uses DNSSEC".
"from a signed into another signed" neither klam.biz or .com will be in themselves signed, they will inherit the signing of klam.ca. I did wonder about adding both a dname and a cname for /klam.com /might work.
Something like:
klam.com IN DNAME klam.ca # this handles the subtree of klam.com klam.com IN CNAME klam.ca # this handles klam.com itself
I have not tried it and my guess is that if it even passes validity checks it will produce unexpected consequences. In the mean time I will stick to the single zone file for the moment. Thanks on and all