On 2013-08-08, at 12:39, Havard Eidnes <h...@uninett.no> wrote:
>> Why not configure regular nameserver on the same host as
>> opendnssec instead of replicating full functionality in
>> opendnssec itself?
>
> Well... This may at least partly stem from my local wishes for
> deployment. I wanted to not touch the current originating name
> server, and continue to maintain the zones there, and use
> OpenDNSSEC as a "bump on the wire" between the now hidden master
> and the new distribution master name server.
>
> In other words, I wanted to use "DNS in", and at the same time
> "DNS out" for transferring respectively unsigned and signed
> zones. After all, that is supposed to be a supported feature,
> now, with 1.4?
We have done that since 1.00 at ICANN for many zones. Our approach was to
transfer the zones in out of cron using dig axfr wrapped with a bit of sh,
rather than waiting for NOTIFY (1.00 didn't include support for NOTIFY). Even
with quite a few zones to handle, albeit none of them very large, pulling all
the zones in on a fairly rapid schedule rather than waiting for NOTIFYs doesn't
cause ay significant headache for us.
> If I want to use the "DNS in" adapter, it seems to me that
> OpenDNSSEC lays claim to port 53, so that presents an additional
> challenge if you want to run a real name server in parallel with
> OpenDNSSEC.
Well, there's nothing to say you have to bind a private-use nameserver to port
53. You can bind to a different port, and configure your origin masters (for
the unsigned zones) to notify a different port.
> (Even though you can configure the signer to listen
> to another port than 53, I don't immediately see a way for me to
> configure BIND to send notify messages to another port than port
> 53.)
also-notify {
target-address port target-port;
};
I'm not suggesting that what you say doesn't make sense, just that there are
workarounds that might well be acceptable.
Joe
_______________________________________________
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
