Why not configure regular nameserver on the same host as opendnssec instead of replicating full functionality in opendnssec itself?
Ondřej Surý > On 8. 8. 2013, at 14:46, Havard Eidnes <[email protected]> wrote: > > Hi, > > I'm slowly getting acquainted with OpenDNSSEC, now version 1.4.1. > > It seems to me that when you configure OpenDNSSEC to use DNS to > fetch an unsigned zone and provide a signed zone, it behaves > differently from a proper DNS server in one important aspect, namely > that it does not appear to do periodic SOA queries towards the > provider of the unsigned zone, and it does not appear to answer SOA > queries itself, but rather appears to depend singularly on notify > messages to trigger zone transfers and re-signing operations. > > True? False? > > Is that operationally "OK"? I would have thought "no", because > there are no hard guarantees that notify messages will be delivered, > e.g. in the case of temporary network outage or temporary name > server failure, causing the need for additional manual operational > intervention after such an event. This looks like a step in the > wrong direction... > > If this is true, it also means that you must have notify configured > for your OpenDNSSEC server on the source name server, and cannot > rely on the otherwise normal periodic SOA queries to trigger zone > updates. > > Best regards, > > - Håvard > > _______________________________________________ > Opendnssec-user mailing list > [email protected] > https://lists.opendnssec.org/mailman/listinfo/opendnssec-user _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
