[Opendnssec-user] Must have DNS notify?

[Joe Abley]

On 2013-08-08, at 12:39, Havard Eidnes <he at uninett.no> wrote:

>> Why not configure regular nameserver on the same host as
>> opendnssec instead of replicating full functionality in
>> opendnssec itself?
> 
> Well...  This may at least partly stem from my local wishes for
> deployment.  I wanted to not touch the current originating name
> server, and continue to maintain the zones there, and use
> OpenDNSSEC as a "bump on the wire" between the now hidden master
> and the new distribution master name server.
> 
> In other words, I wanted to use "DNS in", and at the same time
> "DNS out" for transferring respectively unsigned and signed
> zones.  After all, that is supposed to be a supported feature,
> now, with 1.4?

We have done that since 1.00 at ICANN for many zones. Our approach was to transfer the zones in out of cron using dig axfr wrapped with a bit of sh, rather than waiting for NOTIFY (1.00 didn't include support for NOTIFY). Even with quite a few zones to handle, albeit none of them very large, pulling all the zones in on a fairly rapid schedule rather than waiting for NOTIFYs doesn't cause ay significant headache for us.

> If I want to use the "DNS in" adapter, it seems to me that
> OpenDNSSEC lays claim to port 53, so that presents an additional
> challenge if you want to run a real name server in parallel with
> OpenDNSSEC.

Well, there's nothing to say you have to bind a private-use nameserver to port 53. You can bind to a different port, and configure your origin masters (for the unsigned zones) to notify a different port.

> (Even though you can configure the signer to listen
> to another port than 53, I don't immediately see a way for me to
> configure BIND to send notify messages to another port than port
> 53.)

also-notify {
  target-address port target-port;
};

I'm not suggesting that what you say doesn't make sense, just that there are workarounds that might well be acceptable.


Joe