[Opendnssec-user] SOA queries -> ServFail?

Havard Eidnes he at uninett.no
Wed May 31 10:37:40 UTC 2017

>> Doesn't OpenDNSSEC periodically query the upstream hidden master about
>> its SOA version number, and update the "serial_xfr_acquired" timestamp
>> after it has verified that no change in the SOA version number has
>> occurred at the master?
> We just had a discussion about this. It seems that OpenDNSSEC doesn't
> actively probes for a new version but yet expires the zone when no
> changes where received for a while. So a DNS input adapter in
> combination with a static zone is an unfortunate combination.

That ought to be a fully supported and normal combination...

Looking at packet capture, it seems that my OpenDNSSEC does periodic
IXFR attempts, and even if there has been no change, the SOA record
for the zone is part of the response from the hidden master.  The
question is if you can piggyback the "query for SOA" functionality on
top of this, and note that the SOA record is the same as the one you
already have received, thus pushing the expiry timestamp into the

I'm not sure I like your suggestion of turning off the expiry logic...


- Håvard

More information about the Opendnssec-user mailing list