anandb-ripencc
commented
1 year ago I copy+pasted from the same request to the Knot DNS folk... oops, haha.
s/Knot DNS/NSD/ :)
Open anandb-ripencc opened 1 year ago
anandb-ripencc
commented
1 year ago I copy+pasted from the same request to the Knot DNS folk... oops, haha.
s/Knot DNS/NSD/ :)
anandb-ripencc
commented
1 year ago It turns out that Knot DNS has implemented this since version 3.2. It has been in BIND for even longer. I would love to see this in NSD, so that we can make use of it uniformly. Other than in XFR, it also helps when you issue a SOA query, because you can quickly know how far a zone is from expiry, and could use it as a monitoring aid.
k0ekk0ek
commented
1 year ago Hi @anandb-ripencc! I'll start looking into this.
anandb-ripencc
commented
8 months ago Hi @k0ekk0ek. Any update on this issue?
k0ekk0ek
commented
8 months ago Hi @anandb-ripencc. I'm sorry, not yet. It got sidetracked. I'll see if I can start work on this again soon (#278, or simdzone, is keeping me busy, but a first release is close).
k0ekk0ek
commented
3 months ago @anandb-ripencc, #278 turned out to take (way) more time. I'm sorry it took so long. I'll get started on this feature later this week.
k0ekk0ek
commented
2 months ago I've been working out how to fit this into NSD. The problem is that the processes serving the data do not keep track of zone administration as that is done by xfrd. The initial idea was to use a shared memory segment containing an expire timer per zone. As multiple versions might be served (current version, plus version after reload), that is not as straightforward as I hoped it'd be. Anyway, just a quick update to indicate this is top of my list.
anandb-ripencc
commented
2 months ago Thanks for this update Jeroen. Perhaps you can try to solve this issue in 2 parts. It would already be useful if XFRD were to ask for, and honour the EXPIRE option in XFR queries. This would solve the problem where we have multiple chains of XFR servers, and the zone expiry time is extended beyond the operator's intention. This is my main motivation for wanting EXPIRE support in NSD, because we have actually faced this issue.
Later, you can try to figure out a way of passing on the expiry timer information to the child processes.
k0ekk0ek
commented
2 months ago That's most certainly less complicated, I'll see if I can split it up.
Hi. Long chains of XFR servers can lead to a situation where a zone's expiry is extended well beyond what's in the SOA record. We have recently had this situation with some of our zones, where the secondary kept serving a zone with expired RRSIGs.
Would you consider implementing RFC 7314 in
Knot DNSNSD, both when providing XFR as well as requesting XFR, and honouring the expiry from the EDNS EXPIRE option instead of the SOA record?