Hi, I'm slowly getting acquainted with OpenDNSSEC, now version 1.4.1.
It seems to me that when you configure OpenDNSSEC to use DNS to fetch an unsigned zone and provide a signed zone, it behaves differently from a proper DNS server in one important aspect, namely that it does not appear to do periodic SOA queries towards the provider of the unsigned zone, and it does not appear to answer SOA queries itself, but rather appears to depend singularly on notify messages to trigger zone transfers and re-signing operations. True? False? Is that operationally "OK"? I would have thought "no", because there are no hard guarantees that notify messages will be delivered, e.g. in the case of temporary network outage or temporary name server failure, causing the need for additional manual operational intervention after such an event. This looks like a step in the wrong direction... If this is true, it also means that you must have notify configured for your OpenDNSSEC server on the source name server, and cannot rely on the otherwise normal periodic SOA queries to trigger zone updates. Best regards, - Håvard _______________________________________________ Opendnssec-user mailing list Opendnssec-user@lists.opendnssec.org https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
