A thought about APP records and DNSSEC

[Tivin-i]

It has been a very long time since I worked with DNS or looked at the RFC, prefacing this...

I've been thinking about how it would be possible to enable DNSSEC while using the APP record in Technitium. Currently you can't enable DNSSEC as APP records are not "valid" DNS records, however what if valid records such as CNAME was used and it had a convention that would point it towards an app.

sg.example.com IN CANME id-827193.failover.app.internal

Then the App would do the resolution and return whichever record is needed.
Does the idea sound feasible?

[ShreyasZare]

Thanks for asking. APP records are not supported for signed zones since they are dynamic and the current DNSSEC implementation signs records before serving them.

There is a plan to add on-the-fly DNSSEC signing support which would then be able to sign all records in a response automatically so it would work with dynamic records like APP/ANAME. This may take a while to be added since its not on priority at the moment.

Currently, as you have thought, you can have a signed zone with CNAME records and then create a subdomain zone for the same domain name which is unsigned and place your dynamic records like APP/ANAME there. This will work without issues and the CNAME record will be validated while the final A record generated by APP/ANAME will remain insecure. However, your main zone is signed and all other records will be secure thus its a good tradeoff to consider.

[Tivin-i]

Thanks @ShreyasZare, that's a good approach as well.
Will try that out.