On Sun, Sep 21, 2014 at 08:13:46AM -0700, Paul Hoffman wrote:
> - What happens / should happen if the "@ IN MX 25 outpost.ds9a.nl." record
> is not in the zone file and the server gets an MX query for example.com?
It proxies that on as an MX query for www.powerdns.com and puts back the
answer. So ALIAS is type transparent.
> > PS: the above is currently not yet supported for DNSSEC domains!
>
> Can you say (much) more about that aside? Does it mean that the server
> will fail to load the zone if there is DNSSEC records and ALIAS
> pseudo-records? Or that the DNSSEC gets broken? Or that the ALIAS gets
> broken? Or... ?
In the current branch, it will load the zone, but neglect to add signatures
for the proxied records. In other words, if you do DNSSEC, it will load the
zone but make you BOGUS.
This is not a fundamental problem as long as we have keys. If you don't have
the keys, we can't sign any how. We'll add the signing code shortly, we just
haven't typed it in yet.
An interesting opening is that we'd be signing potentially unsigned data
this way. Potentially, we should check for the AD bit. But first let's see
how this idea fits.
Bert
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
