RFC4035: "The RRSIG Signer's Name field is equal to the name of the zone containing the RRset".
But for CNAME, the RRSIG gets the target zone, when the target zone is on the same server.
For CNAME against external zones it works correctly.
[snip] RRSIG CNAME 8 3 3600 20111222000000 20111208000000 32493 onlinesigning.net. [snip]
[snip] RRSIG CNAME 8 3 3600 20111222000000 20111208000000 32493 onlinesigning.se. [snip]
the target of the CNAME is net010.onlinesigning.net (which is also handled by 184.108.40.206).
This problem means that a validating bind resolves to SERVFAIL, since the signature is invalid.
A patch for the problem is attached to the ticket.
Attachment 'Patch fixing the problem' (pdns-trunk-r2313-fix-cname-internal-zone-rrsig-signer.1.patch) https://gist.github.com/5466723
Accepted as r2314. Thanks!