On 6/29/19 12:30 PM, Lefteris Tsintjelis via bind-users wrote:
I prefer the text format and I always use masterfile-format text. I am always tempted to check if everything is OK. Probably a waste of time but I just feel safer if I can see things.
I'll argue that it doesn't matter (much) why you want text zones. You want them, therefore you should have them as long as it's an option.
Secondaries though are almost always slaves, so writing suppression doesn't really matter for them. It is the primary that only matters so if it could suspend writing for just one minute then everything would complete perfectly OK. The ACME record doesn't have to be permanently stored anywhere.
Hypothetical scenario: Secondary (slave) does not receive a notify, waits and polls the Primary (master) per standards DNS mechanisms.
If the secondary (slave) has a sufficiently old serial (say it's been offline for maintenance), it will see the new serial and do a zone transfer, including the temporary ACME records.
Timing and other conditions might make this unlikely to happen, but I think that it is a possibility.
Thank you! This is the "proper" way to do it. I have tested the _acme-challenge only dynamic zone as you described it and it worked perfectly well and as expected but there is a quite a lot to do for just one record for one minute in order to work properly.
This is why some people say "pick the lesser of the evils". ;-)
I am not sure about the CNAMEs. It sounds easier to implement as there is only one dynamic zone for all hosts but I am not sure how. The _acme-challenge.<host>, from what I know, is expected to be within the main domain zone in order for ACME to work properly, so how would it work in a separate dynamic one? Wouldn't ACME reject it?
The _acme-challenge.<host> record name is expected to be within the main domain zone. But there is nothing that prevents that record from being a CNAME to another zone.
_acme-challenge.www.example.org is a CNAME to www.example.org.dynamic.local _acme-challenge.www.example.net is a CNAME to www.example.net.dynamic.local _acme-challenge.www.example.com is a CNAME to www.example.com.dynamic.localSo the only dynamic zone is dynamic.local. Yet ACME clients can query their expected names, follow the CNAME, and get the data they need.
-- Grant. . . . unix || die
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
