[Opendnssec-user] SOA serial keep strategy
Peter van Dijk
peter.van.dijk at powerdns.com
Thu Jun 15 20:12:30 UTC 2017
Hi Yuri,
On 31 May 2017, at 12:40, Yuri Schaeffer wrote:
> One of the SOA serial strategies OpenDNSSEC has is keep. OpenDNSSEC will
> never change the serial it receives from the master, it will be just
> copied over. As a consequence only changes to the signed zone can be
> made when a change from the master comes in. OpenDNSSEC will not be able
> to refresh signatures (and thus they might expire) until a change comes
> in. OpenDNSSEC can not ensure validity of a zone.
>
> Personally I think the keep strategy is just generally a bad idea. I'm
> thinking about deprecating the keep strategy in favour of simpler code
> and less chance to shoot yourself in the foot. Therefore I'd like to
> know if there (still) is actually any demand for this feature. An
> important use case I'm missing. Is anyone using this?
I’m not using this, but here are my 2 cents: PowerDNS, when operating as a slave, will periodically check the SOA serial (like most DNS daemons do when configured as a slave for a zone). On top of that, we also check the expiry of the SOA RRSIG. If that changes, we also refetch the zone. Thus, with PowerDNS slaves, ‘keep’ is a legit use case. Other daemons may want to consider also implementing this. Users of daemons that do not implement this will, of course, need to be careful about either (a) updating their upstream zones periodically or (b) forcing periodic refetches from OpenDNSSEC.
Kind regards,
--
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20170615/830391b7/attachment.bin>
More information about the Opendnssec-user
mailing list