[Opendnssec-user] SOA queries -> ServFail?

Yuri Schaeffer yuri at nlnetlabs.nl
Wed May 31 10:28:20 UTC 2017


Hi Havard,

> Doesn't OpenDNSSEC periodically query the upstream hidden master about
> its SOA version number, and update the "serial_xfr_acquired" timestamp
> after it has verified that no change in the SOA version number has
> occurred at the master?

We just had a discussion about this. It seems that OpenDNSSEC doesn't
actively probes for a new version but yet expires the zone when no
changes where received for a while. So a DNS input adapter in
combination with a static zone is an unfortunate combination.

We did not reach consensus why it works like this. Oversight, maybe bad
assumptions in the past. (the DNS based adapters weren't added from the
start of the project). Or even if OpenDNSSEC should even ever expire a
zone at all. Answer: it depends whether you consider OpenDNSSEC owner of
the zone.

On the long term we should implement active probing (for version > 2.X).
We are in the middle of a major Signer overhaul so we won't have that
soon. I do think however that for the short term it would be wise to
entirely disable the expiry logic in 1.4. Would it be acceptable to
never expire a zone even if the master goes away?

//Yuri

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20170531/9c06d4e1/attachment.bin>


More information about the Opendnssec-user mailing list