[Opendnssec-user] Must have DNS notify?

Matthijs Mekking matthijs at nlnetlabs.nl
Tue Aug 20 08:51:50 UTC 2013


Hi,

OpenDNSSEC 1.4 should read the incoming SOA RDATA values and use the
REFRESH, RETRY and EXPIRE values to do periodic zone transfer requests
in case no NOTIFY messages have been received in the meantime.

Also, OpenDNSSEC 1.4 responds to queries without doing additional
processing (so no CNAME following, additional RRsets, ...), so it should
respond to answer SOA queries.

The zone fetcher (OpenDNSSEC 1.3.x and lower) does not do periodic AXFR
requesting given the REFRESH and RETRY values and relies indeed on
incoming NOTIFY messages.

Best regards,
  Matthijs


On 08/09/2013 11:03 AM, Sara Dickinson wrote:
> 
> On 9 Aug 2013, at 09:22, Klaus Darilion wrote:
> 
>>
>>
>> On 08.08.2013 14:46, Havard Eidnes wrote:
>>> It seems to me that when you configure OpenDNSSEC to use DNS to
>>> fetch an unsigned zone and provide a signed zone, it behaves
>>> differently from a proper DNS server in one important aspect, namely
>>> that it does not appear to do periodic SOA queries towards the
>>> provider of the unsigned zone, and it does not appear to answer SOA
>>> queries itself, but rather appears to depend singularly on notify
>>> messages to trigger zone transfers and re-signing operations.
>>
>> AFAIK this is also with ODS 1.3 which supports incoming AXFR only. As workaround we have a cron job with "rndc notify ..." on the Bind server to send NOTIFYs every 5 minutes to ODS.
> 
> Hi, 
> 
> Matthijs (our DNS adaptor expert) is away this week and next and he can confirm when he returns....
> 
> But I do know that on the output side the DNS adaptor in OpenDNSSEC 1.4 certainly responds to SOA queries as we have just fixed a bug related to this in the upcoming 1.4.2 release:
> 
> https://issues.opendnssec.org/browse/OPENDNSSEC-424
> 
> My understanding is that the input side DNS adaptor uses the refresh field on the SOA to determine when to request further zone transfers. 
> 
> Sara.
> 
>>
>> regards
>> Klaus
>> _______________________________________________
>> Opendnssec-user mailing list
>> Opendnssec-user at lists.opendnssec.org
>> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
> 
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
> 




More information about the Opendnssec-user mailing list