On Fri, Jul 14, 2017 at 05:11:18PM -0500, /dev/rob0 wrote: > > Does zbc.com (for example) need DS, or is just passed by the TLD? > > Zbc.com. is not a zone, it is a CNAME in the com. TLD. There would > be no NS to delegate to, therefore no DS.
Actually it *is* a zone: the .com TLD delegates to servers at iidns.com, which then return a CNAME at the zone apex, but only if the query is for type A. For other query types including DNSKEY, they return NOERROR/NODATA. This is a bad idea and they should stop doing it. If zbc.com were to be signed, it would need a DS in .com and it would also need a DNSKEY at zbc.com, which would be occluded by the cached CNAME, and DNSSEC validation would fail. (This is more or less the exact use case for the proposed ANAME record.) -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users