Ill start off by saying i am just learning DNSSEC so maybe im way off course.
I have turned on DNSSEC on my server 2012 r2 server and found that i can not get to ipower-inc.com. There is NOT a DS record for ipower-inc.com (or ipower.com) so i would expect the dns request to complete without a DNSSEC failure (like microsoft.com...).
In looking at the debug logs with DNSSEC ON i see the request to the dns forwarder (ISP DNS Server) returns a CNAME for ipower-inc.com that points to ipower.com which has an A record. If i look at the response back to my client my dns server tells the client there is NO A record found for ipower-inc.com, well that IS correct, there isnt an A record, there is a CNAME that points to ipower.com.
If i look at the debug logs with DNSSEC OFF i see my dns server responds back to the client with the same info my ISP responded to me with. i did clear the cache between tests.
SO my question, is this just bad dns setup on ipower's side where they are breaking some rule that i dont know of because i didnt read all the RFC's OR is this a unexpected behavior (bug) in the windows DNS Server? OR is it door number 3?
thanks
tim