[Opendnssec-user] SOA serial keep strategy

Yuri Schaeffer yuri at nlnetlabs.nl
Fri Jun 16 08:42:58 UTC 2017


Hi Peter,

> I’m not using this, but here are my 2 cents: PowerDNS, when operating
> as a slave, will periodically check the SOA serial (like most DNS
> daemons do when configured as a slave for a zone). On top of that, we
> also check the expiry of the SOA RRSIG. If that changes, we also
> refetch the zone. Thus, with PowerDNS slaves, ‘keep’ is a legit use
> case. Other daemons may want to consider also implementing this.
> Users of daemons that do not implement this will, of course, need to
> be careful about either (a) updating their upstream zones
> periodically or (b) forcing periodic refetches from OpenDNSSEC.

Interesting idea. But it doesn't really solve the problem at hand.
Specifically if OpenDNSSEC would use 'keep', and it doesn't get an
update from the master. It isn't able to publish a new version of the
zone since it cannot bump the serial on its own. As signing software it
is in my opinion really a no-go to publish a zone twice with the same
version number but with different content. (imagine how this would screw
up IXFR amongst other problems.)

So even if PowerDNS would detect an expired RRSIG SOA it can't get a
'good' version from OpenDNSSEC until upstream bumps the unsigned zone.

Moreover the SOA signature is guaranteed to expire last. Since the SOA
WILL get resigned for every new version. So it is a poor method of
detecting a stale zone.

So the feature might enhance the refresh value from the SOA, which is
nice I guess, but I don't think it will solve much here.

//Yuri

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20170616/0c4774ac/attachment.bin>


More information about the Opendnssec-user mailing list