>> Doesn't OpenDNSSEC periodically query the upstream hidden master about >> its SOA version number, and update the "serial_xfr_acquired" timestamp >> after it has verified that no change in the SOA version number has >> occurred at the master? > > We just had a discussion about this. It seems that OpenDNSSEC doesn't > actively probes for a new version but yet expires the zone when no > changes where received for a while. So a DNS input adapter in > combination with a static zone is an unfortunate combination.
That ought to be a fully supported and normal combination... Looking at packet capture, it seems that my OpenDNSSEC does periodic IXFR attempts, and even if there has been no change, the SOA record for the zone is part of the response from the hidden master. The question is if you can piggyback the "query for SOA" functionality on top of this, and note that the SOA record is the same as the one you already have received, thus pushing the expiry timestamp into the future? I'm not sure I like your suggestion of turning off the expiry logic... Regards, - HÃ¥vard _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
