CNS DNSSEC Support

[teutat3s]

Steps to reproduce:

Setup CNS as hidden master
Setup DNS servers (BIND ISC) ns1.example.com (BIND master) & ns2.example.com (BIND slave) for example.com zone in combination with CNS as hidden master
Setup DNSSEC on ns1.example.com

Set a CNAME record to some instance like inst.dc.cns.example.com

dig CNAME example.com @8.8.8.8
will show ad flag (authentic domain) - DNSSEC 👍

dig A inst.dc.cns.example.com @8.8.8.8
will not show ad flag plus show a SERVFAIL - DNSSEC 👎

dig A inst.dc.cns.example.com @8.8.8.8 +cd
will show NOERROR proving DNSSEC validation problems.

This causes DNS troubles with tools like triton-dehydrated because Google's DNS 8.8.8.8 is very picky about DNSSEC flags. It just shows SERVFAIL.
Others like Cloudfare's 1.1.1.1 still show the ANSWER section but also produce SERVFAIL.

Are there any longterm plans on implementing DNSSEC into CNS? I guess this is a big task to be done... Would be looking forward to it a lot because now we have to disable DNSSEC on our side to be able to enjoy the CNAME magic of CNS.

[bahamat]

Follow CNS-94 DNSSEC support for CNS for updates.