causes DNSSEC cross-signing #12
Description
having DNSSEC enabled on both the original and the 'redirected' zone, both zones will have the returned record signed:
without alias:
;; ANSWER SECTION:
kepgep.hu. 60 IN CNAME 4vf46kl453hqufom6shy38a0auaocbxy6sjf0r2nbiijd351dh.wiredns.org.
4vf46kl453hqufom6shy38a0auaocbxy6sjf0r2nbiijd351dh.wiredns.org. 60 IN AAAA 2a01:36c:3200:4158:3bb:2c05:0:10
4vf46kl453hqufom6shy38a0auaocbxy6sjf0r2nbiijd351dh.wiredns.org. 60 IN RRSIG AAAA 13 3 3600 20250822130128 20250814100128 22179 wiredns.org. NX6oGSibI27TdF2+rH4lol9vK8zXOQAQiWq9AXdsNUwk1R4eIh7ZPlQA Wkd/ewTh3z4/ytvVxmKJESCGQ2NRqg==
4vf46kl453hqufom6shy38a0auaocbxy6sjf0r2nbiijd351dh.wiredns.org. 60 IN RRSIG AAAA 13 3 3600 20250822130128 20250814100128 22179 kepgep.hu. TA+JWmI7iysJr8HVq3n1quXXvcuEEaMXbPPfMkXCTYSMMwMmD/0vmQX1 g0HK0mmL/XFS4GVrO0G9Tnm3vu2GEg==
kepgep.hu. 60 IN RRSIG CNAME 13 2 3600 20250822130128 20250814100128 22179 kepgep.hu. waS4GbDEvXuj/nY4onbETIy7+SzTP0s/6vv8E7TyKV4fcm/FWL3INCVA cWyjGRtJ8TqdSLygUcESjBFlqDqQrA==
with alias:
;; ANSWER SECTION:
kepgep.hu. 60 IN A 80.95.80.45
kepgep.hu. 60 IN RRSIG A 13 3 3600 20250822131014 20250814101014 22179 wiredns.org. Dcke3I5kRcHTPSgwgg+FjbddPw9utu7WbLGgHkAIBz4Y835L9w2ElNHq kDmS+T5EMpcOc78fN/AhV0ireyZwHw==
kepgep.hu. 60 IN RRSIG A 13 2 3600 20250822131019 20250814101019 22179 kepgep.hu. 7N/E4pX364GiGOPnvjM916k5meQsBtrz14E6fbGI7GflCJmjH90Kkg47 KLbPlITGlBwvGzsHxdPoi3jhb2u9Pw==
both answers are wrong 😄
- 1st is because CNAME in zone apex of course
- 2nd is because the target zone signs record for the source zone
While this is not an RFC violation, it creates extra traffic and error messages on DNS validation solutions (RFC 4035 5.3.1. Checking the RRSIG RR Validity)