[dns-operations] BIND, Knot and NSD behaviour when serial number goes backwards

Paul Vixie paul at redbarn.org
Mon Feb 20 17:23:30 UTC 2017

Anand Buddhdev wrote:
> ... A TSIG-signed NOTIFY message with a serial number can be trusted. 


> If a slave receives such a message, and it already has that
> serial number, it can choose to do nothing.

that's true in the unsigned case, signing adds nothing there.

> In fact, this feature has been implemented in Knot DNS 2.4 at my
> suggestion, and I like it. Our slaves have several upstream masters.
> When a slave receives the first NOTIFY for a zone from one of the
> masters, and it is out of date, it refreshes the zone. Within the next
> several seconds or minutes, if that slave receives more signed NOTIFY
> messages with the same serial, it can just ignore those, and spend its
> resources doing something else.

it was already ignoring those, before/without tsig. an unsecure hint
that tells you something you already know is as valuable as a secure
hint. notify was designed with lack-of-bcp38-ever as a constraint.

> So I'd like to reiterate that TSIG-signed NOTIFY messages with a serial
> number are a good thing. In fact, we have configured our BIND masters to
> notify all our slaves with TSIG-signed messages. And at least our Knot
> slaves are making use of this feature to avoid unnecessary SOA, IXFR and
> AXFR queries altogether.

since all it's buying you is avoidance of the initial SOA query, i don't
think the complexity you're paying is worth what you're getting.

i think tsig would be better applied to a new ixfr-push protocol.

P Vixie

More information about the dns-operations mailing list