[Opendnssec-user] Must have DNS notify?

Ondřej Surý ondrej at sury.org
Thu Aug 8 16:05:04 UTC 2013

Why not configure regular nameserver on the same host as opendnssec instead of replicating full functionality in opendnssec itself?

Ondřej Surý

> On 8. 8. 2013, at 14:46, Havard Eidnes <he at uninett.no> wrote:
> Hi,
> I'm slowly getting acquainted with OpenDNSSEC, now version 1.4.1.
> It seems to me that when you configure OpenDNSSEC to use DNS to
> fetch an unsigned zone and provide a signed zone, it behaves
> differently from a proper DNS server in one important aspect, namely
> that it does not appear to do periodic SOA queries towards the
> provider of the unsigned zone, and it does not appear to answer SOA
> queries itself, but rather appears to depend singularly on notify
> messages to trigger zone transfers and re-signing operations.
> True?  False?
> Is that operationally "OK"?  I would have thought "no", because
> there are no hard guarantees that notify messages will be delivered,
> e.g. in the case of temporary network outage or temporary name
> server failure, causing the need for additional manual operational
> intervention after such an event.  This looks like a step in the
> wrong direction...
> If this is true, it also means that you must have notify configured
> for your OpenDNSSEC server on the source name server, and cannot
> rely on the otherwise normal periodic SOA queries to trigger zone
> updates.
> Best regards,
> - Håvard
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

More information about the Opendnssec-user mailing list