> While working on draft-ietf-dnsop-dnssec-keyrestore[0] we found > that we needed to force secondary servers to perform an AXFR our > zone without checking the serial number in the SOA record. While > DNS implementations have knobs to force a transfer from the secondary > (e.g. "rndc retransfer" in BIND, "nsd-control force_transfer" in > NSD), there is currently no mechanism to make a primary server > force its secondaries to perform an AXFR without checking the > serial. The below draft introduces such a mechanism. > > We think this feature could be more widely beneficial for cases > where there is an inconsistency between the view of a zone on a > primary and a secondary server not under control of the same > operator. We'd love to hear what others think.
I'm a bit worried what will happens if the graph that connects the nameservers is not a tree. 1) A secondary may receive multiple notifies. Without a SOA check the number of zone transfers may get out of hand. 2) A loop in this graph may cause an endless series of zone transfers. 3) A secondary could receive a notify but not know which upstream nameserver has a more recent version of the zone. I wonder, the SOA serial is an in band mechanism. Maybe it is easy enough to add an out of band mechanism. For example, we have the ZONEVERSION ENDS(0) option. Maybe that can be added to both the notify an and the AXFR request. _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
