• Michał Kępień's avatar
    Treat records below a DNAME as out-of-zone data · 6d8a514e
    Michał Kępień authored
    DNAME records indicate bottom of zone and thus no records below a DNAME
    should be DNSSEC-signed or included in NSEC(3) chains.  Add a helper
    function, has_dname(), for detecting DNAME records at a given node.
    Prevent signing DNAME-obscured records.  Check that DNAME-obscured
    records are not signed.
    (cherry picked from commit ff7015a0)
genzones.sh 9.73 KB