4 Led
2016
4 Led
'16
12:47
* Tobias Brunner <tobias(a)tobru.ch>
Hi Ondrej,
Thanks for your fast answer!
Be aware that with "zonefile-sync: -1" the journal will grow and grow
until it is full, as it doesn't only contain a simple diff/delta from
the original file (in git), but every single change applied - even
those changes that have been cancelled out by later changes (like old
DNSSEC signatures).
When the journal is full, you cannot submit further nsupdate changes
and I think DNSSEC re-signing is prevented from happening. Therefore,
as I understand it, "zonefile-sync: -1" is not suited for production
use.
See also https://gitlab.labs.nic.cz/labs/knot/issues/164#note_12079
Tore
We don't have an option to write signed
zonefile elsewhere, but you can set
`zonefile-sync: -1`[1] to disable syncing of the zones to the disk. That
way the signatures will be kept only in the zone journal.
1. https://www.knot-dns.cz/docs/2.0/html/reference.html#zonefile-sync
That's great! This solves all of my "troubles" I had...