I have a customer who is looking to use Akamai Fast DNS as secondary while using Dyn as primary for his DNS zone management. There are TLDs and being a KONA customer, they leverage ZAM.
After setting everything up we noticed that there are some errors on the Akamai's side. At first we did not use TSIG,
but added it on both sides and still got errors.
When Dyn was contacted they said that these zones have implemented the ALIAS service. The ALIAS service uses DNSSEC signatures to carry the payload data to understand current IP addresses of the redirect servers. Dyn only uses the DNSSEC signatures for this purpose and not inserting signatures for every record of the zone. Alias records cannot be transferred to a secondary DNS provider via an AXFR/IXFR transfer.
Also, DNSSEC itself cannot be enabled on a zone with advanced services such as ALIAS. DNSSEC needs to create a signature for the records. As such, it is only compatible with "normal" record types.
Now the two key questions from an Akamai standpoint are:
1. If we did enable DNSSec, would that resolve the Zone transfer error?
2. How does this set-up on primary affect ZAM?