29 Led
2025
29 Led
'25
1:18
Hi Knots,
I use catalog zones to sync the set of zones my (hidden)master and slaves
handle. I'm trying to stop messing with zone files on my master, instead
switching exclusively to nsupdate (along with Tony Finch's nsdiff).
In my testing it seems updating the zone after adding it via a catalog is
not possible:
$ knotc zone-status dxld.at
[dxld.at.] role: master | serial: - | catalog: dxld.catalog. | re-sign: +9D15h6m14s
Yet the update fails:
$ knsupdate -y $SECRET <<EOF
server ns0.dxld.at.
zone dxld.at.
add dxld.at. 3600 IN SOA ns0.dxld.at. hostmaster.dxld.at. 1 2m 5m 1w 5m
send
update failed: SERVFAIL
Nothing is logged with `logging: any: debug` except a "ACL, allowed, action
update".
As soon as I create the zone on the server with zone{-begin,-set,-commit}
it starts working ofc. I guess this is just not supported, but is there a
good reason? I would find it quite convenient to do all my DNS ops over
port 53 without touching ssh ;-)
Thanks,
--Daniel
29 Led
29 Led
7:41
Hi Daniel,
you are right, this is not possible. It's a historical design and I don't know if
there
is still a good reason for that. We will investigate.
However, I don't understand the benefits of DDNS over XFR?
Daniel
On 1/29/25 02:18, Daniel Gröber wrote:
Hi Knots,
I use catalog zones to sync the set of zones my (hidden)master and slaves
handle. I'm trying to stop messing with zone files on my master, instead
switching exclusively to nsupdate (along with Tony Finch's nsdiff).
In my testing it seems updating the zone after adding it via a catalog is
not possible:
$ knotc zone-status dxld.at
[dxld.at.] role: master | serial: - | catalog: dxld.catalog. | re-sign: +9D15h6m14s
Yet the update fails:
$ knsupdate -y $SECRET <<EOF
server ns0.dxld.at.
zone dxld.at.
add dxld.at. 3600 IN SOA ns0.dxld.at. hostmaster.dxld.at. 1 2m 5m 1w 5m
send
update failed: SERVFAIL
Nothing is logged with `logging: any: debug` except a "ACL, allowed, action
update".
As soon as I create the zone on the server with zone{-begin,-set,-commit}
it starts working ofc. I guess this is just not supported, but is there a
good reason? I would find it quite convenient to do all my DNS ops over
port 53 without touching ssh ;-)
Thanks,
--Daniel
--
10:14
Hi Daniel,
On Wed, Jan 29, 2025 at 08:41:42AM +0100, Daniel Salzman wrote:
you are right, this is not possible. It's a
historical design and I don't
know if there is still a good reason for that. We will investigate.
Awesome! Thanks for taking the time.
However, I don't understand the benefits of DDNS
over XFR?
Me neither, that's why I'm experimenting :-)
My current understanding is that the main tradeoffs are these:
- AXFR needs a static IP for master vs. nsupdate allows dynamic IP
- AXFR needs DNSSEC keys on machine keeping zonefiles vs nsupdate can
delegate signing to server (but doesn't have to)
- AXFR makes multi-master complicated^TM - nsupdate doesn't care as long
as SOA is increasing.
Consider a setup where zone files are in git and I want to push DNS updates
in a gitops'y way. I could in principle setup a knot AXFR master as part of
the CI build, perhaps along with some VPN to satisfy the static IP
requirement, send a NOTIFY, parse logs to figure out if all slaves went and
got them and tear down the build, but it's a major hassle.
AFAICT there is no way to have knot slaves come back to the IP that sent
them a NOTIFY (not to mention other implementations) so there is no way to
escape needing a static IP for the master.
Additionally error reporting is non-existent in that setup unless I pain
stakingly add checks by parsing logs. I'd sooner go back to SSHing to the
master. OTOH nsupdate just tells me if something failed as we saw.
Anyway, my personal use-case is similar: zonefiles are (file) synced across
my workstation(s) but in addition to having dynamic IPs and machines not
always being up and there's two of them and I want to work on DNS on either
:-)
So that makes nsupdate+nsdiff look a lot more convinient and clean to me.
Thanks,
--Daniel
19:49
Me neither, that's why I'm experimenting :-)
I wonder if there's some confusion here, possibly on my end. :)
- AXFR needs a static IP for master vs. nsupdate
allows dynamic IP
XFR from a primary (or secondary) needs a known address, correct, but directing
an RFC2136 update to a server requires knowing that server's IP as well.
Without specifying a target, the UPDATE will be sent to the SOA MNAME by
default.
To me this is comparing apples and slices of chocolate :)
- AXFR needs DNSSEC keys on machine keeping zonefiles
vs nsupdate can
delegate signing to server (but doesn't have to)
DNSSEC keys must exist on the signer, typically a primary; it's independent on
whether that will be an XFR source or an UPDATE target. The signer needs the
keys.
nsupdate doesn't "delegate signing"; the update target will sign if signed.
- AXFR makes multi-master complicated^TM - nsupdate
doesn't care as long
as SOA is increasing.
This sounds to me as though you intend sending UPDATEs to each of your
secondaries individually. Good luck doing that and keeping the result
consistent, particularly if you're signing.
Consider a setup where zone files are in git and I want
to push DNS updates
in a gitops'y way. I could in principle setup a knot AXFR master as part of
the CI build, perhaps along with some VPN to satisfy the static IP
requirement, send a NOTIFY, parse logs to figure out if all slaves went and
got them and tear down the build, but it's a major hassle.
Indeed. That's why XFR was invented.
So that makes nsupdate+nsdiff look a lot more
convinient and clean to me.
With a single target, I don't disagree; with multiple, well I've commented on
that.
Regards,
-JP
30 Led
30 Led
7:46
Hi,
how I understand the situation is that Daniel's primary server (which is
probably also a signer) is also a catalog consumer.
And the zone contents are probably derived from some database (or
something) and the question is, how to fill them into the primary, if
zone files are not desired for any reason.
Point is, that DDNS was always (and this is not limited to Knot DNS)
intended as an _update_ facility -- modifying existing zone. It does not
support bootstrapping, when the zone is not yet loaded from zone file
(or AXFRed from anywhere).
What I would recommend is to use generic zone file (which uses "@" in
all places where zone name would be) with dummy contents, so that the
newly created (by catalog) zone is loaded with something, and after that
fill the right contents with DDNS.
In the attachment, you can find an example of a generic zone file (it
can be much shorter, Knot might even forgive not including any apex NS).
With that, the catalog member template can be configured along following
ideas:
template:
- id: catalog_member
file: /somehwere/generic.zone
zonefile-sync: -1 # dont overwrite generic zonefile
journal-content: all
acl: allow_ddns
notify: [ secondary1, secondary2 ]
By the way, I would not recommend using SOA MNAME in 2025, better always
know the IP of the specific server you need to update.
Libor
On 29. 01. 25 20:49, Jan-Piet Mens wrote:
Me neither,
that's why I'm experimenting :-)
I wonder if there's some confusion here, possibly on my end. :)
- AXFR needs a static IP for master vs. nsupdate
allows dynamic IP
XFR from a primary (or secondary) needs a known address, correct, but
directing
an RFC2136 update to a server requires knowing that server's IP as well.
Without specifying a target, the UPDATE will be sent to the SOA MNAME by
default.
To me this is comparing apples and slices of chocolate :)
- AXFR needs DNSSEC keys on machine keeping
zonefiles vs nsupdate can
delegate signing to server (but doesn't have to)
DNSSEC keys must exist on the signer, typically a primary; it's
independent on
whether that will be an XFR source or an UPDATE target. The signer
needs the
keys.
nsupdate doesn't "delegate signing"; the update target will sign if
signed.
- AXFR makes multi-master complicated^TM -
nsupdate doesn't care as long
as SOA is increasing.
This sounds to me as though you intend sending UPDATEs to each of your
secondaries individually. Good luck doing that and keeping the result
consistent, particularly if you're signing.
Consider a setup where zone files are in git and
I want to push DNS
updates
in a gitops'y way. I could in principle setup a knot AXFR master as
part of
the CI build, perhaps along with some VPN to satisfy the static IP
requirement, send a NOTIFY, parse logs to figure out if all slaves
went and
got them and tear down the build, but it's a major hassle.
Indeed. That's why XFR was invented.
So that makes nsupdate+nsdiff look a lot more
convinient and clean to
me.
With a single target, I don't disagree; with multiple, well I've
commented on that.
Regards,
-JP
--
31 Led
31 Led
9:18
Hi Jan-Piet, Libor,
On Wed, Jan 29, 2025 at 08:49:06PM +0100, Jan-Piet Mens wrote:
I should have explained my topology better. The nsupdate based setup looks
like this:
[Workstation] ->RFC2136 [Primary] ->AXFR [Slaves...]
The tradeoffs I'm referring to are in that first hop. Primary always has a
static IP that's no problem, but with AXFR between Workstation and Primary
the Workstation needs a static IP too. That's what I'm avoiding by using
nsupdate. Note for auth I'd be using just TSIG here no IP ACL, or perhaps
one that allows my entire /48 space.
Right, here I was confused. If I accept the "spin up a temporary knot"
approach this is also possible with AXFR. Perhaps my point should have been
this: the nsupdate approach is (also) flexible with regard to who the
signer is.
No, I'm intending to add a second primary (ok, technically first-level
secondary if you're thinking in AXFR terms) if the basic setup works. I'm
still experimenting with that. Ofc signing is going to make things
complicated. Perhaps that will make having keys on the Workstation
preferable to dealing with that or I'll just drop the multi-master idea.
We'll see.
I dont think I get your meaning? If XFR was invented for this particular
use-case I sure hope the setup wouldnt need to be as convoluted and
difficult as I'm describing :-)
Libor,
On Thu, Jan 30, 2025 at 08:46:22AM +0100, Libor Peltan wrote:
- AXFR needs a
static IP for master vs. nsupdate allows dynamic IP
XFR from a primary (or secondary) needs a known address, correct, but directing
an RFC2136 update to a server requires knowing that server's IP as well.
Without specifying a target, the UPDATE will be sent to the SOA MNAME by
default. To me this is comparing apples and slices of chocolate
:)
I wouldn't mind both an apple and some chocolate right now, all I have is
bananas on the long journey to FOSDEM :-)
- AXFR needs
DNSSEC keys on machine keeping zonefiles vs nsupdate can
delegate signing to server (but doesn't have to)
DNSSEC keys must exist on the signer, typically a primary; it's
independent on whether that will be an XFR source or an UPDATE
target. The signer needs the keys.
nsupdate doesn't "delegate signing"; the update target will sign if signed.
- AXFR makes
multi-master complicated^TM - nsupdate doesn't care as long
as SOA is increasing.
This sounds to me as though you intend sending UPDATEs to each of your
secondaries individually. Good luck doing that and keeping the result
consistent, particularly if you're signing. Consider a
setup where zone files are in git and I want to push DNS updates
in a gitops'y way. I could in principle setup a knot AXFR master as part of
the CI build, perhaps along with some VPN to satisfy the static IP
requirement, send a NOTIFY, parse logs to figure out if all slaves went and
got them and tear down the build, but it's a major hassle.
Indeed. That's why XFR was invented. how I understand the situation is that Daniel's
primary server (which is
probably also a signer) is also a catalog consumer.
Correct.
And the zone contents are probably derived from some
database (or something)
and the question is, how to fill them into the primary, if zone files are
not desired for any reason.
No database (or something). Just zonefiles on my workstation(s). The tricky
bit is that I switch between working on my laptop and desktop
machines. That's my personal use-case, but you can just as well imagine an
organizational use-case where different people should be able to work on
the same zonefiles synced via git instead of syncthing (which I use).
Note that in the git based scenario you could use CI automation for
deploying or people could just run nsupdate on their machines. Doesn't
matter. Which is a nice property of this setup IMO.
Point is, that DDNS was always (and this is not
limited to Knot DNS)
intended as an _update_ facility -- modifying existing zone. It does not
support bootstrapping, when the zone is not yet loaded from zone file (or
AXFRed from anywhere).
Right.
What I would recommend is to use generic zone file
(which uses "@" in all
places where zone name would be) with dummy contents, so that the newly
created (by catalog) zone is loaded with something, and after that fill the
right contents with DDNS.
I have considered the basic idea of using a dummy zonefile and discarded
the idea as janky :-P. My approach would have been a cronjob that parses
the catalog zone, but your approach of using just a generic zonefile does
make this significantly more appealing.
I see one problem: say I have secondaries where the relevant zone already
exists, now I redeploy the primary (after, say, the machine goes up in
flames). For a short while there secondaries will see the dummy zone's
serial. IF I'm unlucky and the serial-math works out whatever serial the
secondaries have right now could conceivably be lower than whatever is in
the dummy zone (remember: RFC1982) causing them to empty the zone causing
an otherwise harmless hidden-primary outage to escalate significantly.
Now that scenario is impossible in my lab as I use date-based serials but
I'd (ideally) like this setup to also be applicable to high update rate
zones where those won't work.
In the attachment, you can find an example of a
generic zone file (it can be
much shorter, Knot might even forgive not including any apex NS). With that,
the catalog member template can be configured along following ideas:
Thanks! I'm going to use this to carry on my experiments but I do think an
option to allow UPDATE to create zones (if they are in the catalog already)
would still be useful.
By the way, I would not recommend using SOA MNAME in
2025, better always
know the IP of the specific server you need to update.
The server has IP ACLs and requires TSIG for UPDATEs I don't see why it
matters where nsupdate gets the server name from. I know knsupdate doesn't
support this I'd probably still script that with (k)dig if needed ;-)
I'm not as well read in the more recent DNS RFCs as I perhaps should be
(did anything important happen since 1987 anyway? ;-P), is there a good
reason that I'm not seeing?
Thanks,
--Daniel
9:28
Hi,
On 31. 01. 25 10:18, Daniel Gröber wrote:
now I redeploy the primary (after, say, the machine
goes up in
flames). For a short while there secondaries will see the dummy zone's
serial. IF I'm unlucky and the serial-math works out
Do you think that you make 2000000000+ updates to some zone? It is 23
days of 1000 upd/sec torture.
And even if, than if you configure journal-content:all on the
secondary/ies, they should have overview about all the history and don't
mess up if the primary goes backwards in SOA serials.
Libor
9:46
On Fri, Jan 31, 2025 at 10:28:42AM +0100, Libor Peltan wrote:
Hi,
On 31. 01. 25 10:18, Daniel Gröber wrote:
Who's to say. I learned yesterday some people stream video over DNS :D
$ dig +short TXT {0..92}.vid.demo.servfail.network | sed 's/[" ]*//g' |
base64 -d | mpv -
Seriously though. It is unlikely, but it's just one of those nagging things
I don't want to have in the back of my mind and/or communicate if I
recommend this setup to people. Keep in mind it's not so much about what
I'm going to do with this, but what other people might come up with once I
publish it.
I'm ofc. happy to send patches if y'all are to busy to enable this niche
use-case.
now I redeploy the primary (after, say, the
machine goes up in
flames). For a short while there secondaries will see the dummy zone's
serial. IF I'm unlucky and the serial-math works out
Do you think that you make 2000000000+ updates to some zone? It is 23 days
of 1000 upd/sec torture. And even if, than if you configure journal-content:all
on the secondary/ies,
they should have overview about all the history and don't mess up if the
primary goes backwards in SOA serials.
How do you mean? I'm not aware of this behaviour, is that documented
somewhere?
Thanks,
--Daniel
1 Úno
1 Úno
10:49
Hi,
On 1/31/25 10:18, Daniel Gröber wrote:
option to allow UPDATE to create zones (if they are in
the catalog already)
would still be useful.
Just random stuff that comes to mind:
Instead of an option, one could also store the member zone serial as a member property
(which could be useful for tracking missed NOTIFYs anyway*), and then accept an UPDATE
containing both SOA and NS iff the SOA serial matches that property.
(The latter would need some thinking-through if DNSSEC signing is done by the receiving
end in a way that affects the serial.)
Cheers,
Peter
* Catalog-based replication: I've thought for a long time that it would be really nice
to have catalog zones with member serial numbers, and use IXFR at a high rate (say,
governed by the catalog zone's SOA REFRESH interval) to inform secondaries about what
to update. When running more than just a few zones, this is much better than doing SOA
REFRESH checks on all member zones at that same rate. (Especially if member zones change
rarely, but one wants changes to propagate quickly.) This would work particularly well
where NOTIFYs are unreliable (because the regular catalog IXFR catches all lost NOTIFYs,
regardless of when they were lost), and it would unity the mechanism for initial
provisioning and replication of changes. At deSEC, we'd really (really!) like that! (I
understand it's not a trivial addition.)
--
https://desec.io/
18:09
Hi Peter,
I wonder how often you observe a missed NOTIFY. Knot uses TCP for sending NOTIFY and if it
fails, another attempt is scheduled.
Also I'm not convinced that the zone serial property can improve the situation. It
just moves individual zone NOTIFYs to more
frequent catalog updates and sending NOTIFYs. Have you already seen this concept in
practice?
Daniel
On 2/1/25 11:49, Peter Thomassen via knot-dns-users wrote:
Hi,
On 1/31/25 10:18, Daniel Gröber wrote:
option to allow UPDATE to create zones (if they
are in the catalog already)
would still be useful.
Just random stuff that comes to mind:
Instead of an option, one could also store the member zone serial as a member property
(which could be useful for tracking missed NOTIFYs anyway*), and then accept an UPDATE
containing both SOA and NS iff the SOA serial matches that property.
(The latter would need some thinking-through if DNSSEC signing is done by the receiving
end in a way that affects the serial.)
Cheers,
Peter
* Catalog-based replication: I've thought for a long time that it would be really
nice to have catalog zones with member serial numbers, and use IXFR at a high rate (say,
governed by the catalog zone's SOA REFRESH interval) to inform secondaries about what
to update. When running more than just a few zones, this is much better than doing SOA
REFRESH checks on all member zones at that same rate. (Especially if member zones change
rarely, but one wants changes to propagate quickly.) This would work particularly well
where NOTIFYs are unreliable (because the regular catalog IXFR catches all lost NOTIFYs,
regardless of when they were lost), and it would unity the mechanism for initial
provisioning and replication of changes. At deSEC, we'd really (really!) like that! (I
understand it's not a trivial addition.)
20
days inactive
23
days old
9 comments
5 participants
participants (5)
-
Daniel Gröber -
Daniel Salzman -
Jan-Piet Mens -
Libor Peltan -
Peter Thomassen