> Now DLZ supports dynamic updates and theoretically it is possible to make > such tricks: > > rndc freeze example.com > put some new records in database > rndc thaw example.com > rndc sign example.com > rndc freeze example.com > > That is zone isn't really dynamic, but it is dynamically loadable and > signed. Will it work?
DLZ only supports dynamic updates if you're using a back-end that supports them. Right now the only combination that works is the DLZ "dlopen" driver running the SMB/CIFS module provided in Samba 4, bind_dlz.c. As far as I know, that module doesn't understand DNSSEC RRtypes, so I doubt if that trick would work today. Even with a back-end module that can manage DNSSEC records, my guess is that it wouldn't answer queries correctly, because AFAIK DLZ doesn't have a mechanism for finding the closest previous name, and that's necessary for returning a signed NXDOMAIN response. (This problem would also apply if you used dnssec-signzone and loaded the signed data into the database directly.) Incidentally, we've been expanding DLZ support further. In 9.8.1, the dlopen driver will be part of the default build on unix/linux platforms, no longer requiring a configure option, so you can use the Samba module (or other modules yet to be written) with a stock BIND 9 build. In 9.9.0, we'll be adding support for the dlopen driver on Windows as well. I plan to convert the other DLZ drivers (mysql, postgresql, ldap, etc) to back-end modules for the dlopen driver at that time as well. I'm not expecting to make them support dynamic updates yet, and hadn't even given any thought to to the problem of supporting DNSSEC, but we can add those features to the roadmap as well if there's user demand. -- Evan Hunt -- [email protected] Internet Systems Consortium, Inc. _______________________________________________ bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
