[Opendnssec-user] SOA serial keep strategy
Roland van Rijswijk - Deij
roland.vanrijswijk at surfnet.nl
Fri Jun 9 08:14:16 UTC 2017
Hi Yuri,
Yuri Schaeffer wrote:
> One of the SOA serial strategies OpenDNSSEC has is keep. OpenDNSSEC will
> never change the serial it receives from the master, it will be just
> copied over. As a consequence only changes to the signed zone can be
> made when a change from the master comes in. OpenDNSSEC will not be able
> to refresh signatures (and thus they might expire) until a change comes
> in. OpenDNSSEC can not ensure validity of a zone.
>
> Personally I think the keep strategy is just generally a bad idea. I'm
> thinking about deprecating the keep strategy in favour of simpler code
> and less chance to shoot yourself in the foot. Therefore I'd like to
> know if there (still) is actually any demand for this feature. An
> important use case I'm missing. Is anyone using this?
If I remember correctly, the rationale for having this strategy is to
facilitate TLD operators, who run the signer manually once they have
produced a zone from data in their registry backend systems. Since they
generally have a regular refresh cycle, I don't think signature
expiration would be an issue for them.
So while I would agree that for most users this is a bad strategy (for
the reasons you mention), there might be an actual use case for it. Any
TLD operators want to jump in and comment?
Perhaps it makes sense to issue a (suppressable) warning in the logs if
this strategy is chosen.
Those were my €0.02 ;-)
Cheers,
Roland
--
-- Roland M. van Rijswijk - Deij
-- SURFnet bv
-- w: http://www.surf.nl/en/about-surf/subsidiaries/surfnet
-- e: roland.vanrijswijk at surfnet.nl
More information about the Opendnssec-user
mailing list