Hi Peter, > I’m not using this, but here are my 2 cents: PowerDNS, when operating > as a slave, will periodically check the SOA serial (like most DNS > daemons do when configured as a slave for a zone). On top of that, we > also check the expiry of the SOA RRSIG. If that changes, we also > refetch the zone. Thus, with PowerDNS slaves, ‘keep’ is a legit use > case. Other daemons may want to consider also implementing this. > Users of daemons that do not implement this will, of course, need to > be careful about either (a) updating their upstream zones > periodically or (b) forcing periodic refetches from OpenDNSSEC.
Interesting idea. But it doesn't really solve the problem at hand. Specifically if OpenDNSSEC would use 'keep', and it doesn't get an update from the master. It isn't able to publish a new version of the zone since it cannot bump the serial on its own. As signing software it is in my opinion really a no-go to publish a zone twice with the same version number but with different content. (imagine how this would screw up IXFR amongst other problems.) So even if PowerDNS would detect an expired RRSIG SOA it can't get a 'good' version from OpenDNSSEC until upstream bumps the unsigned zone. Moreover the SOA signature is guaranteed to expire last. Since the SOA WILL get resigned for every new version. So it is a poor method of detecting a stale zone. So the feature might enhance the refresh value from the SOA, which is nice I guess, but I don't think it will solve much here. //Yuri
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
