ahoj jan,
ahoj ondrej (second paragraph is for you),
On Tue, Jul 08, 2014 at 10:37:22PM +0200, Jan Včelák wrote:
Currently, the signed zone is flushed back to the zone
file and this is
the only place where the signed records are stored. We are considering
storing of the automatically generated DNSSEC records in a separate
file, however we have not settled on a specific solution yet.
In Knot DNS 1.5, there are some improvements - the DNSSEC records are
stored at the end of the zone file, which could improve the ability to
store the zone file in a VCS.
thank you for your reply!
i've built 1.5 for debian stable from the experimental package (only the
--with systemd and dh_systemd dependency needed dropping), things seem
to work well. (i'm aware experimental packages don't go to backports,
but chances are 1.5 goes to testing before the next debian release).
for the time being, i'll probably version-track my master zone file
without direct connection to knot, and manually apply the diffs to the
signed zone files.
(entries are grouped by newlines, commented, and don't contain fqdns,
all of which is lost even with 1.5's grouped records).
using knot as someone with little experience in dns, that's what'd feel
natural to me:
zones {
my-domain.at {
file "/etc/knot/my-domain.at.zone";
file "/var/lib/knot/my-domain.at.zone";
}
}
where knot could determine based on write permissions where to write and
where not to, but for the purpose of reading just concatenate them.
alternatively, `rw-file` could be explicit about writing, or even
`ddns-file` and `dnssec-file` to separate those.
such a setup would allow clean separation of configured state (/etc) and
state the application manages and persists internally (/var/lib), and as
a side effect allow otherwise unrelated zones to share configuration
snipplets.
best regards
chrysn
--
I shouldn't have written all those tank programs.
-- Kevin Flynn