[Opendnssec-user] OpenDNSSEC 2.x roadmap - dynamic updates?

Kevin Thompson sysadmin at antiduh.com
Tue Oct 7 18:09:32 UTC 2014

On 2014-10-07 03:44, Klaus Darilion wrote:
> On 06.10.2014 19:15, Kevin Thompson wrote:
>> Howdy all,
>> I was reading the release plan[1], and I saw mentioned 'Signer - 
>> Dynamic
>> updates'. Could you elaborate on that?
>> Currently, the best method I've found for integrating ODS with a 
>> dynamic
>> zone on one server is the CentralNIC pattern[2] - the unsigned zone is
>> served by a master from a private view, injected into ODS by a DNS 
>> input
>> adapter, signed file goes out, and finally the signed file is served
>> statically by the master on a public view. This method works, but is a
>> little cumbersome.
>> I'm really hoping that what is meant by 'dynamic updates' is that ODS
>> would take notifies to know when the dynamic zone is changed, would
>> download the updates via IXFR, and then directly add/update/delete
>> records as needed via dynamic updates. If so, this would be huge, 
>> since
>> it would greatly ease integration of ODS into dynamic zones. I imagine
>> the similarly mentioned "Database input and output adapter" would work
>> the same way, but would directly update a database storing the zone.
> I wouldn't call that "dynamic updates". This is a normal zone transfer,
> using incremental zone transfer.
> With dynamic updates, there is no NOTIFY with XFR, but the UPDATE is
> pushed directly to the name server.

Thanks for replying.

I'm not sure I understand how ODS gets involved in this situation since 
there are two communication directions to consider. When the dynamic 
zone is updated by, say, some zone manager UI, how is ODS notified so 
that it could push signature updates to the dynamic zone? I'm guessing 
here, but would that be:

  1 Zone manager sends RFC 2136 UPDATEs to dynamic zone master
  2 Dynamic zone master sends RFC 1996 NOTIFYs to ODS and slaves
  3 ODS receives NOTIFY, performs an IXFR to find out what changed.
  4 ODS sends UPDATEs to dynamic zone master to update signatures.
  5 Dynamic zone master sends a RFC 1996 NOTIFY to ODS and slaves
  6 ODS ignores the NOTIFY since it only contains changes it created.

In the case where the change originates in ODS, for example when ODS 
decides to update expiring signatures, then I'd imagine that the 
sequence would be the same but starting at step 4.

Do I have that right, or have I completely misunderstood what this 
proposed feature is about? Really, what I'm hoping for is to undo the 
CentralNIC "split-view" pattern and have ODS directly attach to a 
dynamic zone and manage it seamlessly as if it were any other automatic 
zone manager.


More information about the Opendnssec-user mailing list