Allow only temporary zone updates without making them permanent
Grant Taylor
gtaylor at tnetconsulting.net
Sat Jun 29 18:55:05 UTC 2019
On 6/29/19 12:30 PM, Lefteris Tsintjelis via bind-users wrote:
> I prefer the text format and I always use masterfile-format text. I
> am always tempted to check if everything is OK. Probably a waste of
> time but I just feel safer if I can see things.
I'll argue that it doesn't matter (much) why you want text zones. You
want them, therefore you should have them as long as it's an option.
> Secondaries though are almost always slaves, so writing suppression
> doesn't really matter for them. It is the primary that only matters so
> if it could suspend writing for just one minute then everything would
> complete perfectly OK. The ACME record doesn't have to be permanently
> stored anywhere.
Hypothetical scenario: Secondary (slave) does not receive a notify,
waits and polls the Primary (master) per standards DNS mechanisms.
If the secondary (slave) has a sufficiently old serial (say it's been
offline for maintenance), it will see the new serial and do a zone
transfer, including the temporary ACME records.
Timing and other conditions might make this unlikely to happen, but I
think that it is a possibility.
> Thank you! This is the "proper" way to do it. I have tested the
> _acme-challenge only dynamic zone as you described it and it worked
> perfectly well and as expected but there is a quite a lot to do for
> just one record for one minute in order to work properly.
This is why some people say "pick the lesser of the evils". ;-)
> I am not sure about the CNAMEs. It sounds easier to implement as there
> is only one dynamic zone for all hosts but I am not sure how. The
> _acme-challenge.<host>, from what I know, is expected to be within
> the main domain zone in order for ACME to work properly, so how would
> it work in a separate dynamic one? Wouldn't ACME reject it?
The _acme-challenge.<host> record name is expected to be within the main
domain zone. But there is nothing that prevents that record from being
a CNAME to another zone.
_acme-challenge.www.example.org is a CNAME to www.example.org.dynamic.local
_acme-challenge.www.example.net is a CNAME to www.example.net.dynamic.local
_acme-challenge.www.example.com is a CNAME to www.example.com.dynamic.local
So the only dynamic zone is dynamic.local. Yet ACME clients can query
their expected names, follow the CNAME, and get the data they need.
--
Grant. . . .
unix || die
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4008 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20190629/8c213904/attachment.bin>
More information about the bind-users
mailing list