Allow only temporary zone updates without making them permanent

Lefteris Tsintjelis lefty at spes.gr
Sun Jun 30 09:38:37 UTC 2019


On 30/6/2019 0:29, Grant Taylor via bind-users wrote:
> On 6/29/19 2:13 PM, Lefteris Tsintjelis via bind-users wrote:
>> Standard DNS mechanisms and poll would not work. Everything must be
>> done within 1 minute so notify MUST be used and therefor zone serial
>> must be increased and of course all secondaries MUST be online and
>> respond to the notify properly and sync.
> 
> I think we've experienced different things with ACME clients.

It is very possible as not all ACME clients behave the same way.

> Yes, the update needs to be propagated to all the (responding) servers.
> But I've not had any problems if it has taken five or more minutes.  I
> don't know what the timeout is.  But It's longer than one minute.
> 
> I've routinely manually run my ACME client, gotten the new TXT record,
> published it to my master server, waiting for it to propagate to the
> slaves, and then run my ACME client for Let's Encrypt to see the updated
> record in DNS.
> 
> I know I've been as slow as five minutes before.  I think I've been as
> slow as ten to fifteen minutes before.

If you do it manually yes; if you do it automatically from a cron job,
everything is timed.

>> When I tried it (by a mistake) with a secondary not synchronized
>> properly (older serial) ACME failed.
> 
> Yes, incorrect data will cause ACME to fail.  But that's largely
> independent of timing.
> 
>> I suppose all this means automatically that the zone MUST be dynamic
>> in order for named to handle all that and propagate everything properly.
> 
> Nonsense.
> 
> There is nothing that states that you can't manually update your zone,
> remembering to increment the serial number, and then restarting BIND or
> reloading the zone.
> 
> BIND will send notifies as it's configured to do so.  Slaves will
> eventually do a zone transfer as specified in the SOA record if they
> miss the notify.
> 
> My experience has been that a sequence of events needs to be completed.
> 
> None of this /requires/ dynamic zones.

Again, no it is not required but only if you do it manually. The idea
here is to automate everything and, unless I am missing something, there
is no other way to do this. There has to be a dynamic zone for the ACME
records.

Lefteris


More information about the bind-users mailing list