Allow only temporary zone updates without making them permanent
Lefteris Tsintjelis
lefty at spes.gr
Sun Jun 30 09:38:37 UTC 2019
On 30/6/2019 0:29, Grant Taylor via bind-users wrote:
> On 6/29/19 2:13 PM, Lefteris Tsintjelis via bind-users wrote:
>> Standard DNS mechanisms and poll would not work. Everything must be
>> done within 1 minute so notify MUST be used and therefor zone serial
>> must be increased and of course all secondaries MUST be online and
>> respond to the notify properly and sync.
>
> I think we've experienced different things with ACME clients.
It is very possible as not all ACME clients behave the same way.
> Yes, the update needs to be propagated to all the (responding) servers.
> But I've not had any problems if it has taken five or more minutes. I
> don't know what the timeout is. But It's longer than one minute.
>
> I've routinely manually run my ACME client, gotten the new TXT record,
> published it to my master server, waiting for it to propagate to the
> slaves, and then run my ACME client for Let's Encrypt to see the updated
> record in DNS.
>
> I know I've been as slow as five minutes before. I think I've been as
> slow as ten to fifteen minutes before.
If you do it manually yes; if you do it automatically from a cron job,
everything is timed.
>> When I tried it (by a mistake) with a secondary not synchronized
>> properly (older serial) ACME failed.
>
> Yes, incorrect data will cause ACME to fail. But that's largely
> independent of timing.
>
>> I suppose all this means automatically that the zone MUST be dynamic
>> in order for named to handle all that and propagate everything properly.
>
> Nonsense.
>
> There is nothing that states that you can't manually update your zone,
> remembering to increment the serial number, and then restarting BIND or
> reloading the zone.
>
> BIND will send notifies as it's configured to do so. Slaves will
> eventually do a zone transfer as specified in the SOA record if they
> miss the notify.
>
> My experience has been that a sequence of events needs to be completed.
>
> None of this /requires/ dynamic zones.
Again, no it is not required but only if you do it manually. The idea
here is to automate everything and, unless I am missing something, there
is no other way to do this. There has to be a dynamic zone for the ACME
records.
Lefteris
More information about the bind-users
mailing list