I can see roughly three ways this might be done, in order of increasing complexity...
(1) Master-only. The master observes an ANAME record at the apex of a zone it loads and uses it to periodically refresh the relevant records in the zone (as if you had a cron job running dig | magic | nsupdate). Disadvantage: potentially lots of XFR traffic if the TTLs are low. (2) Authority-only: All authority servers recognize ANAME records, PowerDNS style. Disadvantage: all authority servers need DNSSEC private keys. (3) DNAME-style: Authority servers and resolvers recognize ANAME records. ANAME-aware servers (auth and rec) return the synthesized records for backwards compatibility, without signatures. For DNSSEC purposes the signed ANAME goes in the answer section and the original signed target goes in the additional section. Disadvantages: forklift upgrade; DNSSEC codepoint rollover. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ Trafalgar: Cyclonic in northwest, otherwise mainly northerly or northwesterly 5 or 6. Slight or moderate. Showers in northwest. Good. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop