[dns-operations] dnssec via dynamic updates

Peter Andreev andreev.peter at gmail.com
Sat Mar 19 13:07:37 UTC 2016

2016-03-19 0:25 GMT+03:00 Mark Andrews <marka at isc.org>:
> In message <CAE_wXn3iFoqZkz7EDcvigwWQe=Ynv94MDMmKP0brtRdXk51RDQ at mail.gmail.com>, Peter Andreev writes
> :
>> Bert,
>> Thank you, I'll take a closer look at PowerDNS.
>> Brett, Evan,
>> The signer is under third party management and I have no access to it.
>> After signing they upload a zone file to server under my command. I
>> can negotiate for file format, will it be for example a zone file or
>> food for nsupdate or whatever, but changing the way how we interact is
>> near-impossible.
> I'm still not clear why you need to do UPDATE.  You need to compute
> a delta and send it in a in a single UPDATE message which is limited
> to 64K.  Named's ixfr-from-differences can compute the delta and
> is not limited to a 64K delta size.

In my case computing a delta would be much faster (seconds for SQL
query) than loading a zone to BIND, which takes several minutes.
Also signer and master can't connect to each other directly.

> Named does simple secure update which essentially says named is
> managing the DNSSEC records.  It wouldn't be hard to add a option
> to disable all the extra work simple secure update does.
> Mark
>> 2016-03-18 20:29 GMT+03:00 Evan Hunt <each at isc.org>:
>> > On Fri, Mar 18, 2016 at 03:51:44PM +0300, Peter Andreev wrote:
>> >> Unfortunately xfr is not an option. The main point is that public server
>> >> should know nothing about signer and vise versa.
>> >
>> > I'm not clear why *XFR isn't an option for this? You don't need to have
>> > your hidden master listed in the NS RRset where the public can see it; you
>> > only need it in the name server configuration. (In BIND terms, the signer
>> > needs to be listed in the "masters" option on the slave(s), and the
>> > slave(s) must be in the "allow-transfer" ACL on the signer.)
>> >
>> > --
>> > Evan Hunt -- each at isc.org
>> > Internet Systems Consortium, Inc.
>> --
>> Is there any problem Exterminatus cannot solve? I have not found one yet.
>> _______________________________________________
>> dns-operations mailing list
>> dns-operations at lists.dns-oarc.net
>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>> dns-jobs mailing list
>> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

Is there any problem Exterminatus cannot solve? I have not found one yet.

More information about the dns-operations mailing list