Arne Jensen wrote:
Because every authoritative RRset in a zone must be protected by a digital signature, RRSIG RRs must be present for names containing a CNAME RR. This is a change to the traditional DNS specification [RFC1034], which stated that if a CNAME is present for a name, it is the only type allowed at that name. A RRSIG and NSEC (see Section 4) MUST exist for the same name as a CNAME resource record in a signed zone. Can you tell me what exactly this means?
Hmm, it should means specification of rfc4034 is incomplete. That is, the rfc certainly specifies that domain name for CNAME may also have RRSIG. However, the rfc does not say that, if a query to a server is for CNAME, the server must also return RRSIG. Worse, even if authoritative namesevers return both CNAME and RRSIG, if TTL of CNAME is longer than that of RRSIG, cache of a resolver may only contain CNAME. Or, if a resolver is not aware of DNSSEC, RRSIG won't be returned for CNAME query. As such, when a query for CNAME does not return RRSIG, resolvers must explicitly ask RRSIG by another query message, specification for which is missing in the rfc. Masataka Ohta