Xfrout notify question
Spain, Dr. Jeffry A.
spainj at countryday.net
Wed May 23 20:28:12 UTC 2012
>> My question is: who is being notified? Is it, for example, the servers listed in the NS records in the zone data.
> The servers listed in zone origin's NS *whose names also belong to that zone and have AAAA or A records*. So, in practice, it won't work for reverse zones in general.
> Zone management in general is one of the things we need to revisit/improve fundamentally. Hopefully we can solve this particular issue as part of it. (Right now, though, I'm not sure when we start developing this feature set).
Thanks. Here are my thoughts on this.
First of all the current strategy of notifying hosts named in NS records using the addresses from their A or AAAA records doesn't work in a certain scenarios. For example, in a situation where the DNS servers are behind an IPv4 NAT firewall but are providing DNS service to the Internet. In this case the A records will contain external IPv4 addresses, but the servers might only be reachable from each other via their internal IPv4 addresses.
Another problematic scenario is the one I am using. I have a bind10 stealth master configured to use a bind 9.9 slave for DNSSEC inline signing, and the bind 9.9 server isn't listed in the NS records of any of my zones. The bind 9.9 server in turn is configured to use two other bind10 servers as slaves, and it is these latter two, which are my publicly accessible authoritative servers, that are listed in the NS records.
Thus I suggest the following. Keep the current behavior as a default if you wish, but add configuration commands to turn that behavior off and set up explicitly defined notification. For example
> config set Xfrout notify <yes (default)|no|explicit>
where "yes" means use the default behavior described above and also notify servers specified in an explicit notification list , "no" means don't send any notify messages, and "explicit" means notify only servers specified in an explicit notification list.
The notify-explicit configuration object would contain a list of explicit notification targets and associated TSIG key names:
> config set Xfrout notify-explicit [{"target": "<IPv4/IPv6 address>", "key": "<key name>"},...]
Thanks for considering the addition of these features. They would certainly make my current setup work respond more efficiently to zone changes. Jeff.
More information about the bind10-users
mailing list