Open timkgh opened 2 years ago
nils-wisiol
commented
2 years ago Per-user AXFR could be supported by the means of a separate daemon that answers AXFR requests by first authenticating the request, then doing an AXFR internally, then replying to the request.
timkgh
commented
2 years ago I understand that the DNSSEC records are problematic with AXFR and secondary providers. Not sure whether disabling DNSSEC in deSEC is an option, though the goal of deSEC is to promote DNSSEC.
nils-wisiol
commented
2 years ago Not sure whether disabling DNSSEC in deSEC is an option
no way :nerd_face:
appliedprivacy
commented
1 year ago This topic (redundancy via zone transfer) has become more relevant today due to the DDoS related outage. Forum post: https://talk.desec.io/t/zone-transfer-to-secondary-ns-for-availability-reasons/568
Please also consider RFC9103 Zone Transfer over TLS when implementing AXFR support. https://www.rfc-editor.org/rfc/rfc9103
appliedprivacy
commented
1 year ago Looks like DDoS issues will become more frequent.
We are committing to donate 100€ if AXFR support gets implemented sometime before 2024.
bluecmd
commented
1 year ago Hi! Just wanting to say that I was considering moving all my domains to deSEC given the wonderful things that it seems to offer, but sadly I need to be able to do AXFR to internal DNS mirrors to be able to have high-availability when transit outages happen. E.g. offices need to be able to print on the printer without internet connectivity.
I would like to use deSEC as primary while having other secondary DNS services for redundancy.
Please consider adding AXFR support with TSIG.
Thank you.