Hi Havard, > Doesn't OpenDNSSEC periodically query the upstream hidden master about > its SOA version number, and update the "serial_xfr_acquired" timestamp > after it has verified that no change in the SOA version number has > occurred at the master?
We just had a discussion about this. It seems that OpenDNSSEC doesn't actively probes for a new version but yet expires the zone when no changes where received for a while. So a DNS input adapter in combination with a static zone is an unfortunate combination. We did not reach consensus why it works like this. Oversight, maybe bad assumptions in the past. (the DNS based adapters weren't added from the start of the project). Or even if OpenDNSSEC should even ever expire a zone at all. Answer: it depends whether you consider OpenDNSSEC owner of the zone. On the long term we should implement active probing (for version > 2.X). We are in the middle of a major Signer overhaul so we won't have that soon. I do think however that for the short term it would be wise to entirely disable the expiry logic in 1.4. Would it be acceptable to never expire a zone even if the master goes away? //Yuri
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
