Allow only temporary zone updates without making them permanent

Grant Taylor gtaylor at tnetconsulting.net
Sat Jun 29 18:55:05 UTC 2019 

On 6/29/19 12:30 PM, Lefteris Tsintjelis via bind-users wrote:
> I prefer the text format and I always use masterfile-format text. I 
> am always tempted to check if everything is OK. Probably a waste of 
> time but I just feel safer if I can see things.

I'll argue that it doesn't matter (much) why you want text zones.  You 
want them, therefore you should have them as long as it's an option.

> Secondaries though are almost always slaves, so writing suppression 
> doesn't really matter for them. It is the primary that only matters so 
> if it could suspend writing for just one minute then everything would 
> complete perfectly OK. The ACME record doesn't have to be permanently 
> stored anywhere.

Hypothetical scenario:  Secondary (slave) does not receive a notify, 
waits and polls the Primary (master) per standards DNS mechanisms.

If the secondary (slave) has a sufficiently old serial (say it's been 
offline for maintenance), it will see the new serial and do a zone 
transfer, including the temporary ACME records.

Timing and other conditions might make this unlikely to happen, but I 
think that it is a possibility.

> Thank you! This is the "proper" way to do it. I have tested the 
> _acme-challenge only dynamic zone as you described it and it worked 
> perfectly well and as expected but there is a quite a lot to do for 
> just one record for one minute in order to work properly.

This is why some people say "pick the lesser of the evils".  ;-)

> I am not sure about the CNAMEs. It sounds easier to implement as there 
> is only one dynamic zone for all hosts but I am not sure how. The 
> _acme-challenge.<host>, from what I know, is expected to be within 
> the main domain zone in order for ACME to work properly, so how would 
> it work in a separate dynamic one? Wouldn't ACME reject it?

The _acme-challenge.<host> record name is expected to be within the main 
domain zone.  But there is nothing that prevents that record from being 
a CNAME to another zone.

_acme-challenge.www.example.org is a CNAME to www.example.org.dynamic.local
_acme-challenge.www.example.net is a CNAME to www.example.net.dynamic.local
_acme-challenge.www.example.com is a CNAME to www.example.com.dynamic.local

So the only dynamic zone is dynamic.local.  Yet ACME clients can query 
their expected names, follow the CNAME, and get the data they need.



-- 
Grant. . . .
unix || die

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4008 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20190629/8c213904/attachment.bin>

More information about the bind-users mailing list