Xfrout Notify Issues
Spain, Dr. Jeffry A.
spainj at countryday.net
Wed Feb 22 04:34:02 UTC 2012
> For a longer term (we have many longer term issues:-), I believe this should be solved with a higher level design rework on zone management in general, but that would take time, and at least won't happen within this project year (by the end of this March). So my question is whether you'd like to have an immediate remedy, even if it's an ad hoc hack (which may be obsoleted in a future version). For example, it would be relatively easy to add a bindctl command to xfrout so you can trigger outbound notifies at least by hand.
Jinmei: I hesitate to ask you to do extra work on an ad hoc hack, but will take your word for it that this will be fairly easy to do. Here's my near-term goal: I believe it is possible today using the current development release of bind10 and the about to be released bind 9.9.0 (9.9.0rc3 is current) to create a system of DNSSEC-enabled authoritative name servers. The idea is to create a hidden master using bind10 for the unsigned zones with a hidden bind 9.9.0 slave that does DNSSEC inline signing (new functionality for bind 9.9) and automatic key maintenance. The bind 9.9.0 slave in turn would have additional bind10 slaves which would be the publicly available authoritative name servers for the signed zones. All inter-server communications could be secured with TSIG.
I almost have this working now, but the problem is that without your proposed hack, the bind10 hidden master doesn't notify the bind 9.9.0 inline signing slave when zone data is edited and reloaded with b10-loadzone. I think I could work around this by logging onto the bind 9.9.0 server and using 'rndc retransfer <zone>', but this seems less elegant, and unfortunately there is currently a bind 9.9.0rc3 bug that prevents this from working properly. (They have sent me a patch to test.) It is also true that bind 9.9.0 will eventually do an SOA query to check for a serial number increment, but this can take on the order of an hour to occur, which is not ideal.
Once the notifies are working with your hack, I would like to do a writeup on the bind10 wiki with the details of how to set this up. Then I would like to post to the bind9 users list that it is possible to create a functioning, DNSSEC-enabled set of authoritative name servers using the combination of bind10 and bind 9.9.0.
I think that represents a significant achievement for both the bind10 and bind9 development groups and thus has good public relations value as well as giving you some bragging rights. What do you and your associates think?
Regards, Jeff.
Jeffry A. Spain
Network Administrator
Cincinnati Country Day School
More information about the bind10-users
mailing list