Hi JP,
I'll try to provide some explanation, hoping to answer what you are asking.
The block-notify-after-transfer option is very specific and dedicated to
special narrow use-case, I guess some of our users requested it. It
shall prevent "NOTIFY storms" when operating very many zones. The user
is expected to handle triggering downstream zone transfers somehow, e.g.
by relating on SOA timers or calling `knotc zone-notify <some_zones>` in
some batches. I recommend not using this option unless you really know
what you're doing and why this option is essential for you.
Anyway, there seem to be some misunderstanding about the operation of
the bump-in-the-wire signer (i.e. the server that has primaries
configured and DNSSEC signing enabled). When a zone is downloaded (by
AXFR or IXFR), the un-signed zone is never published, instead the
signing routine is part of the XFR processing. It's not that the
un-signed zone is first downloaded, published, and just after that
signed, and published again. It is not considered ready until signed.
Therefore, it makes no sense to send NOTIFY before it gets signed.
However, it might happen later that the zone is signed again (e.g. due
to key roll-overs or RRSIG expiration) without (any need for) another
transfer from (meanwhile unupdated) primary -- in which case the NOTIFY
is obviously send as well.
Please try to ask again if I haven't brought enough light.
Thanks,
Libor
Dne 23. 08. 23 v 20:21 Jan-Piet Mens napsal(a):
Hello!
I have a Knot 3.2.5 server running here which, for most zones, acts as a
bump-in-the-wire signer, and it's doing exactly what I expect it to do.
The same server carries a few secondary zones which are not signed, and I
notice that when Knot transfers these zones in, it doesn't NOTIFY its
secondaries, something which works fine for DNSSEC signed zones.
The following configuration is in place:
remote:
- id: pdns
address: 192.168.25.45@53
key: dsupload
block-notify-after-transfer: on # <-------
automatic-acl: on
template:
- id: default
zonefile-load: difference
file: "%s"
serial-policy: dateserial
master: pdns
catalog-role: member
catalog-zone: katz1
acl: [ xfr, notify_from_pdns, xfer_to_bind ]
notify: [ s1, s2, s3 ]
policy:
- id: manualHSM
manual: on
keystore: thales
cds-cdnskey-publish: rollover
ksk-submission: ds_checker
ds-push: pdns
zone:
- domain: sig.example
dnssec-policy: manualHSM
dnssec-signing: on
- domain: notsig.example
dnssec-signing: off
When sig.example is transferred in, Knot signs it, NOTIFYs its
secondaries
(s1--s3), they XFR the zone and all's well.
When the unsigned notsig.example is transferred in, the logs indicate
Knot is
seeing the new serial, and that's it; the secondaries are not NOTIFYd.
(I can
manually `knotc notify', but that's not the point.)
Setting `block-notify-after-transfer: off' on the remote remediates
this. Knot
then does NOTIFY its secondaries for the unsigned zone (and for the
signed
zone).
The documentation states:
"When incoming AXFR/IXFR from this remote (as a primary server),
suppress sending NOTIFY messages to all configured secondary
servers."
However, if I swich it off (i.e. enable notification), I do not see
the NOTIFY
when knot initially transfers the unsigned zone which is then signed
and hence
then notified.
Is this behavior expected, and have I interpreted it correctly?
Thanks & best regards,
-JP
--
--
