[dns-operations] BIND, Knot and NSD behaviour when serial number goes backwards

Anand Buddhdev anandb at ripe.net
Mon Feb 20 16:57:09 UTC 2017

On 20/02/2017 17:43, Paul Vixie wrote:

Hi Paul,

> there is no need for tsig in notify.

I disagree.

> signed or not it's only a hint. an SOA query still has to be made.

No, it doesn't. A TSIG-signed NOTIFY message with a serial number can be
trusted. If a slave receives such a message, and it already has that
serial number, it can choose to do nothing.

In fact, this feature has been implemented in Knot DNS 2.4 at my
suggestion, and I like it. Our slaves have several upstream masters.
When a slave receives the first NOTIFY for a zone from one of the
masters, and it is out of date, it refreshes the zone. Within the next
several seconds or minutes, if that slave receives more signed NOTIFY
messages with the same serial, it can just ignore those, and spend its
resources doing something else.

So I'd like to reiterate that TSIG-signed NOTIFY messages with a serial
number are a good thing. In fact, we have configured our BIND masters to
notify all our slaves with TSIG-signed messages. And at least our Knot
slaves are making use of this feature to avoid unnecessary SOA, IXFR and
AXFR queries altogether.


More information about the dns-operations mailing list