[Opendnssec-user] Must have DNS notify?
he at uninett.no
Thu Aug 8 12:46:36 UTC 2013
I'm slowly getting acquainted with OpenDNSSEC, now version 1.4.1.
It seems to me that when you configure OpenDNSSEC to use DNS to
fetch an unsigned zone and provide a signed zone, it behaves
differently from a proper DNS server in one important aspect, namely
that it does not appear to do periodic SOA queries towards the
provider of the unsigned zone, and it does not appear to answer SOA
queries itself, but rather appears to depend singularly on notify
messages to trigger zone transfers and re-signing operations.
Is that operationally "OK"? I would have thought "no", because
there are no hard guarantees that notify messages will be delivered,
e.g. in the case of temporary network outage or temporary name
server failure, causing the need for additional manual operational
intervention after such an event. This looks like a step in the
If this is true, it also means that you must have notify configured
for your OpenDNSSEC server on the source name server, and cannot
rely on the otherwise normal periodic SOA queries to trigger zone
More information about the Opendnssec-user