[Opendnssec-user] Must have DNS notify?

Carlos M. Martinez carlos at lacnic.net
Thu Aug 8 16:13:12 UTC 2013 

+1, opendnssec is a signing engine, not a full fledged server IMO, and
this is a separation of duties that I personally like.

You can push your signed zones to the servers either by copying them
(I've used rsync), or as Ondrej suggests, you can run a DNS server
alongside opendnssec and push the signed zones using A/IXFR towards your
'public' servers. The former needs more instrumentation on your part
though, as you probably need to remotely reload your servers as well. If
using bind, you can check 'rndc'.

cheers!

~Carlos


On 8/8/13 1:05 PM, Ondřej Surý wrote:
> Why not configure regular nameserver on the same host as opendnssec instead of replicating full functionality in opendnssec itself?
>
> Ondřej Surý
>
>> On 8. 8. 2013, at 14:46, Havard Eidnes <he at uninett.no> wrote:
>>
>> Hi,
>>
>> I'm slowly getting acquainted with OpenDNSSEC, now version 1.4.1.
>>
>> It seems to me that when you configure OpenDNSSEC to use DNS to
>> fetch an unsigned zone and provide a signed zone, it behaves
>> differently from a proper DNS server in one important aspect, namely
>> that it does not appear to do periodic SOA queries towards the
>> provider of the unsigned zone, and it does not appear to answer SOA
>> queries itself, but rather appears to depend singularly on notify
>> messages to trigger zone transfers and re-signing operations.
>>
>> True?  False?
>>
>> Is that operationally "OK"?  I would have thought "no", because
>> there are no hard guarantees that notify messages will be delivered,
>> e.g. in the case of temporary network outage or temporary name
>> server failure, causing the need for additional manual operational
>> intervention after such an event.  This looks like a step in the
>> wrong direction...
>>
>> If this is true, it also means that you must have notify configured
>> for your OpenDNSSEC server on the source name server, and cannot
>> rely on the otherwise normal periodic SOA queries to trigger zone
>> updates.
>>
>> Best regards,
>>
>> - Håvard
>>
>> _______________________________________________
>> Opendnssec-user mailing list
>> Opendnssec-user at lists.opendnssec.org
>> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

More information about the Opendnssec-user mailing list