The problem?
Routers can dynamically maintain a DNS record to resolve to the router's public IP. The problem is that whilst <serial>.sn.mynetname.net resolves the intermediary domain returns a NXDOMAIN (does not exist) response to DNSSEC validating resolvers correctly mark all sub domains as invalid.
Demonstration:
Code: Select all
[root@linux-test ~]# nslookup
> set q=any
> server 8.8.8.8
Default server: 8.8.8.8
Address: 8.8.8.8#53
> sn.mynetname.net
Server: 8.8.8.8
Address: 8.8.8.8#53
** server can't find sn.mynetname.net: SERVFAIL
> 8aff0abfe5e9.sn.mynetname.net
Server: 8.8.8.8
Address: 8.8.8.8#53
** server can't find 8aff0abfe5e9.sn.mynetname.net: SERVFAIL
You can see the same information being presented when analyzing the domain using DNSVIZ:
https://dnsviz.net/d/8aff0abfe5e9.sn.my ... et/dnssec/