[Opendnssec-develop] Inbound AXFR design

Matthijs Mekking matthijs at NLnetLabs.nl
Tue Sep 15 13:08:04 UTC 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ray.Bellis at nominet.org.uk wrote:
> 
>> New signer tool, axfr_listener runs as daemon:
>> - - Listen to NOTIFY messages.
>> - - If no input file exists or if a NOTIFY is received from a master:
>>   - do axfr request (nsd-xfer)
>>   - write result back to axfr directory
>>   - execute signer_engine_cli update
> 
> Are there any thoughts as to whether this daemon needs to honour the
> "refresh" and "expiry" times from the SOA, such that it periodically
> polls the master for the SOA even if it hasn't received a NOTIFY?

That depends if OpenDNSSEC is being a bump in the wire or acts as a real
secondary. If secondary, it should honour the refresh and expiry timers.
If bump, imo, it only has to listen to NOTIFY.

> If it hasn't already been decided, consideration may need to be given as
> to whether the NOTIFY channel (and hence the axfr_listener) requires
> TSIG support.

That has been taken into account.

Matthijs
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEcBAEBAgAGBQJKr5GyAAoJEA8yVCPsQCW5lUQH/in+ZQ2VwNNSYh3WFQe+gV/h
IvS5gM9BFSFRm26FvnVlzDXzCJNFgWzLmg1S15PrbHvPUeS9PKHhbznvyOr0jTJ0
8M2yKFbgYjMddVJZO+NOPyaIT3XLLKIumifsl8e1nTn0ccY1/kslFZAp1imJautq
G3f5hDXmvaEbYKVWtDHriwDFrDYTFH9wma0iE1OxzThQApHLh2DeBikPURJq1VFS
8OeGizB4pjzm5P5Qua7V5A/uROYDk9TlQPq+0rlqcqtWOy0XXE8w65KGxO3gSifw
3S0OB/9/ZrCRXvlhQyWb/EyasKKRKjqaa9DIZXoC9cTQHQr6k5OdPrPj1lsRdd8=
=oKaE
-----END PGP SIGNATURE-----



More information about the Opendnssec-develop mailing list