Feature Request: auth: outgoing IXFR support

[m-barthelemy]

• Program: Authoritative
• Issue type: Feature request

Short description

After receiving a notification, a slave may want to ask a PowerDNS master for zone changes using IXFR. As of 4.2.3, PowerDNS can only emit AXFR responses, according to the doc and confirmed after a few quick tests with an Unbound slave.

Usecase

Maintaining slaves up to date almost in real time using NOTIFY is great. However:

• If the zone becomes big, any update potentially requires transferring (and then updating) a lot of information on the salves.
• If the slave expects an IXFR response from the master (Unbound 1.7.1 with auth-zone, allow-notify and master configured) if fails. Well, I guess Unbound should be able to accept an AXFR response, and its current behavior is a limitation or a bug.

[Habbie]

Hello, I took the liberty of editing the title. This is a big feature request, to be clear, and I'm surprised we did not already have a ticket for it!

[Habbie]

You might be interested in ixfrdist, by the way.

[Habbie]

Well, I guess Unbound should be able to accept an AXFR response, and its current behavior is a limitation or a bug.

That does sound like a bug, to be clear.

[pieterlexis]

Hi @m-barthelemy,

Due to the use of the database in the backend (and the design thereof) it is quite hard to create an IXFR. This is mostly because we don't keep multiple versions of zones and it is hard to determine removals without many extra tables to keep this history and all the code that comes with it.

In master, there is a tool called ixfrdist (config file format), currently available in the pdns-tools package from our repos. This tools retrieves the zones from the auth, saves them to disk and re-distributes it over AXFR and IXFR. It is somewhat of a work in progress is only checks for new data at the master every SOA Expire seconds and it does not support NOTIFY or TSIG.

If you want, we can consider this issue a request for NOTIFY support in ixfrdist.

If the slave expects an IXFR response from the master (Unbound 1.7.1 with auth-zone, allow-notify and master configured) if fails. Well, I guess Unbound should be able to accept an AXFR response, and its current behavior is a limitation or a bug.

That smells like a bug, an IXFR request might be answered with a full zone according to RFC 1995 section 4:

If incremental zone transfer is not available, the entire zone is returned. The first and the last RR of the response is the SOA record of the zone. I.e. the behavior is the same as an AXFR response except the query type is IXFR.

Cheers!

[Habbie]

That does sound like a bug, to be clear.

I cannot reproduce your Unbound problem.

[oliken]

"Due to the use of the database in the backend (and the design thereof) it is quite hard to create an IXFR."

"It is somewhat of a work in progress is only checks for new data at the master every SOA Expire seconds and it does not support NOTIFY or TSIG"

Hi! Do you plan to develop this features?:

• ixfrdist NOTIFY support (Catch DNS NOTIFY from master and update AFXR/Send DNS NOTIFY to some hosts)
• ixfrdist TSIG support (between master and ixfrdist and between ixfrdist and some hosts)
• ixfrdist refresh time vs actual SOA expire only

This features may permits to replace the limitation of PowerDNS to send IXFR.