A few interesting things about DNAMES:
* For unsigned zones, resolvers don’t have to do anything, but the DNAME itself
can break
- The synthesized CNAME makes the resolver “just work”
- RFC 3597 section 7 says that resolvers MUST uncompress DNAMEs. If they
don’t, they may serve corrupt RRs
So a nameserver that serves compressed DNAMEs must be “fixed” by the
resolver.
* For signed zones three things can break
- RFC 4034 section 6.2 explicitly says that DNAMEs must be lowercased before
their signatures are validated
- Synthesized CNAMEs are not signed, so resolvers have to use the DNAME to
validate the CNAME.
The DNAME must be signed and it must dictate the target of the CNAME
Our (OpenDNS/Umbrella) resolver ignored DNAMEs up until recently. The current
release running in production gets just about all of the above wrong :(. FWIW,
the next release (just waiting to go out!) fixes all of the above!
—
Brian
> On Mar 29, 2020, at 4:23 AM, Meir Kraushar via dns-operations
> <[email protected]> wrote:
>
>
> From: Meir Kraushar <[email protected]>
> Subject: Any DNAME usage experience?
> Date: March 29, 2020 at 4:23:29 AM PDT
> To: [email protected]
>
>
> Hi
>
> I looking for insights, usage experience regarding DNAME record
> implementation.
> If any compatibility issues, client side problems, resolvers etc?..
> Highly apperciate If anyone could share their knowledge.
>
> Take care and stay safe.
> Thank you!
>
>
>
> _______________________________________________
> dns-operations mailing list
> [email protected]
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
