4 Led
2016
4 Led
'16
17:04
Hello.
On Monday, January 04, 2016 04:20:38 PM Tobias Brunner wrote:
Is there a feature in Knot where I can leave out the
serial and just put a
placeholder there? So that Knot manages the serial by itself? Knot could
then f.e. look at the timestamp of the zonefile to decide if it needs to
update the zone serial (f.e. unix timestamp) and reload the zone.
There is not at the moment. But I agree that it would be very useful. And
I think the first step towards a real solution would be to store the
automatically generated records separately. But this brings complications with
DDNS, with intentionally broken zones containing garbage, etc..
Are there any other suggestions how to manage
zonefiles in Git when using
DNSSEC? Is it a problem when replacing the zonefile every time with an
unsigned one and let Knot resign the whole zone, or zones, because with a
git reset all zonefiles will be replaced by the original files? Looks like
this would cause a lot of troubles because of the automatic serial
increment when signing a zone. Setting zonefile-sync to -1 seems not to be
a great idea in production...
There will always be a possibility, that Knot will resign the zone at the time
interval, when the zone file will be updated. What I do when I manually edit
the zone file, is to run 'knotc flush' and 'knotc status' first to check
when
the automatic signing will take place. Just to make sure that I'm in the safe
interval.
There is no problem in resigning the zone, if your zone has reasonable size.
The only danger is just related to the serial number handling.
I think the problem can be also solved by a bit more intelligent git hook. The
hook can execute 'knotc flush', then extract the DNSKEY, RRSIG, and NSEC/NSEC3
records from the flushed zone. Take the input zone from git, append these
records to the zone file, increase the serial and reload the server. Should
not be that hard...
General question: How are others managing zonefiles
besides in Git?
I would like to know that as well. :-)
Cheers,
Jan