Feature request: EDNS EXPIRE (RFC 7314) #274
Comments
|
I copy+pasted from the same request to the Knot DNS folk... oops, haha.
|
|
It turns out that Knot DNS has implemented this since version 3.2. It has been in BIND for even longer. I would love to see this in NSD, so that we can make use of it uniformly. Other than in XFR, it also helps when you issue a SOA query, because you can quickly know how far a zone is from expiry, and could use it as a monitoring aid. |
|
Hi @anandb-ripencc! I'll start looking into this. |
|
Hi @k0ekk0ek. Any update on this issue? |
|
Hi @anandb-ripencc. I'm sorry, not yet. It got sidetracked. I'll see if I can start work on this again soon (#278, or simdzone, is keeping me busy, but a first release is close). |
|
@anandb-ripencc, #278 turned out to take (way) more time. I'm sorry it took so long. I'll get started on this feature later this week. |
|
I've been working out how to fit this into NSD. The problem is that the processes serving the data do not keep track of zone administration as that is done by xfrd. The initial idea was to use a shared memory segment containing an expire timer per zone. As multiple versions might be served (current version, plus version after reload), that is not as straightforward as I hoped it'd be. Anyway, just a quick update to indicate this is top of my list. |
|
Thanks for this update Jeroen. Perhaps you can try to solve this issue in 2 parts. It would already be useful if XFRD were to ask for, and honour the EXPIRE option in XFR queries. This would solve the problem where we have multiple chains of XFR servers, and the zone expiry time is extended beyond the operator's intention. This is my main motivation for wanting EXPIRE support in NSD, because we have actually faced this issue. Later, you can try to figure out a way of passing on the expiry timer information to the child processes. |
|
That's most certainly less complicated, I'll see if I can split it up. |
Hi. Long chains of XFR servers can lead to a situation where a zone's expiry is extended well beyond what's in the SOA record. We have recently had this situation with some of our zones, where the secondary kept serving a zone with expired RRSIGs.
Would you consider implementing RFC 7314 in
Knot DNSNSD, both when providing XFR as well as requesting XFR, and honouring the expiry from the EDNS EXPIRE option instead of the SOA record?The text was updated successfully, but these errors were encountered: