Hello!
I have a Knot 3.2.5 server running here which, for most zones, acts as a
bump-in-the-wire signer, and it's doing exactly what I expect it to do.
The same server carries a few secondary zones which are not signed, and I
notice that when Knot transfers these zones in, it doesn't NOTIFY its
secondaries, something which works fine for DNSSEC signed zones.
The following configuration is in place:
remote:
- id: pdns
address: 192.168.25.45@53
key: dsupload
block-notify-after-transfer: on # <-------
automatic-acl: on
template:
- id: default
zonefile-load: difference
file: "%s"
serial-policy: dateserial
master: pdns
catalog-role: member
catalog-zone: katz1
acl: [ xfr, notify_from_pdns, xfer_to_bind ]
notify: [ s1, s2, s3 ]
policy:
- id: manualHSM
manual: on
keystore: thales
cds-cdnskey-publish: rollover
ksk-submission: ds_checker
ds-push: pdns
zone:
- domain: sig.example
dnssec-policy: manualHSM
dnssec-signing: on
- domain: notsig.example
dnssec-signing: off
When sig.example is transferred in, Knot signs it, NOTIFYs its secondaries
(s1--s3), they XFR the zone and all's well.
When the unsigned notsig.example is transferred in, the logs indicate Knot is
seeing the new serial, and that's it; the secondaries are not NOTIFYd. (I can
manually `knotc notify', but that's not the point.)
Setting `block-notify-after-transfer: off' on the remote remediates this. Knot
then does NOTIFY its secondaries for the unsigned zone (and for the signed
zone).
The documentation states:
"When incoming AXFR/IXFR from this remote (as a primary server),
suppress sending NOTIFY messages to all configured secondary servers."
However, if I swich it off (i.e. enable notification), I do not see the NOTIFY
when knot initially transfers the unsigned zone which is then signed and hence
then notified.
Is this behavior expected, and have I interpreted it correctly?
Thanks & best regards,
-JP
--
