[Opendnssec-user] Must have DNS notify?
Ondřej Surý
ondrej at sury.org
Thu Aug 8 16:05:04 UTC 2013
Why not configure regular nameserver on the same host as opendnssec instead of replicating full functionality in opendnssec itself?
Ondřej Surý
> On 8. 8. 2013, at 14:46, Havard Eidnes <he at uninett.no> wrote:
>
> Hi,
>
> I'm slowly getting acquainted with OpenDNSSEC, now version 1.4.1.
>
> It seems to me that when you configure OpenDNSSEC to use DNS to
> fetch an unsigned zone and provide a signed zone, it behaves
> differently from a proper DNS server in one important aspect, namely
> that it does not appear to do periodic SOA queries towards the
> provider of the unsigned zone, and it does not appear to answer SOA
> queries itself, but rather appears to depend singularly on notify
> messages to trigger zone transfers and re-signing operations.
>
> True? False?
>
> Is that operationally "OK"? I would have thought "no", because
> there are no hard guarantees that notify messages will be delivered,
> e.g. in the case of temporary network outage or temporary name
> server failure, causing the need for additional manual operational
> intervention after such an event. This looks like a step in the
> wrong direction...
>
> If this is true, it also means that you must have notify configured
> for your OpenDNSSEC server on the source name server, and cannot
> rely on the otherwise normal periodic SOA queries to trigger zone
> updates.
>
> Best regards,
>
> - Håvard
>
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
More information about the Opendnssec-user
mailing list