[Opendnssec-user] Must have DNS notify?

Havard Eidnes he at uninett.no
Thu Aug 8 16:39:23 UTC 2013

> Why not configure regular nameserver on the same host as
> opendnssec instead of replicating full functionality in
> opendnssec itself?

Well...  This may at least partly stem from my local wishes for
deployment.  I wanted to not touch the current originating name
server, and continue to maintain the zones there, and use
OpenDNSSEC as a "bump on the wire" between the now hidden master
and the new distribution master name server.

In other words, I wanted to use "DNS in", and at the same time
"DNS out" for transferring respectively unsigned and signed
zones.  After all, that is supposed to be a supported feature,
now, with 1.4?

If I want to use the "DNS in" adapter, it seems to me that
OpenDNSSEC lays claim to port 53, so that presents an additional
challenge if you want to run a real name server in parallel with
OpenDNSSEC.  (Even though you can configure the signer to listen
to another port than 53, I don't immediately see a way for me to
configure BIND to send notify messages to another port than port
53.)  This quickly devolves into a kludge on top of another
kludge, which I am trying my best to avoid.

I'm not sure being able to query for SOA for the incoming zone or
reply to a SOA query for the outgoing zone needs to be as
complicated as implementing a full name server.  After all, it is
already today listening for and sending notify messages.  But
then again, what do I know...

Best regards,

- Håvard

More information about the Opendnssec-user mailing list