[knot-dns-users] Manage zonefile directory in git

Tore Anderson tore at fud.no
Mon Jan 4 12:47:17 CET 2016


* Tobias Brunner <tobias at tobru.ch>

> Hi Ondrej,
> 
> Thanks for your fast answer!
> 
> > We don't have an option to write signed zonefile elsewhere, but you can set
> > `zonefile-sync: -1`[1] to disable syncing of the zones to the disk.  That
> > way the signatures will be kept only in the zone journal.
> > 
> > 1. https://www.knot-dns.cz/docs/2.0/html/reference.html#zonefile-sync  
> 
> That's great! This solves all of my "troubles" I had...

Be aware that with "zonefile-sync: -1" the journal will grow and grow
until it is full, as it doesn't only contain a simple diff/delta from
the original file (in git), but every single change applied - even
those changes that have been cancelled out by later changes (like old
DNSSEC signatures).

When the journal is full, you cannot submit further nsupdate changes
and I think DNSSEC re-signing is prevented from happening. Therefore,
as I understand it, "zonefile-sync: -1" is not suited for production
use.

See also https://gitlab.labs.nic.cz/labs/knot/issues/164#note_12079

Tore


More information about the knot-dns-users mailing list