[knot-dns-users] Manage zonefile directory in git

Jan Včelák jan.vcelak at nic.cz
Mon Jan 4 15:12:30 CET 2016


Hello Tobias,

On Tuesday, December 29, 2015 01:28:20 PM Tobias Brunner wrote:
> > We don't have an option to write signed zonefile elsewhere, but you can
> > set
> > `zonefile-sync: -1`[1] to disable syncing of the zones to the disk.  That
> > way the signatures will be kept only in the zone journal.
> >
> > 1. https://www.knot-dns.cz/docs/2.0/html/reference.html#zonefile-sync
> 
> That's great! This solves all of my "troubles" I had...

Beware, this is very tricky.

Knot tries to apply the changes from journal on top of the zone file. For this 
purpose, it uses the zone SOA serial as the only indicator of zone version. 
Nothing else.

If you give Knot DNS a zone file with serial X, assumming DNSSEC signing 
enabled, the server will update the zone with serial X+1. The difference 
between X and X+1 is written into the journal. Another resigning will increase 
the serial again. And so on.

So if your zone file still contains serial X, but the journal contains much 
newer version (let's say X+10), and you decide to change the zone file, you 
*must* set the newer serial in the zone file at least to X+11. Otherwise, your 
zone will get inconsistent because Knot will try to apply the changes in 
journal on top of the updated zone.

What's more, we obviously cannot reuse valid signatures from the journal when 
the journal get's out-of-sync from the zone. It's cheaper to resign the zone.

Also, zonefile-sync to -1 just disables periodical flushing of the journal. 
The journal can be still flushed when it's full.

So having the zones in git including signatures is actually a good solution. 
Just saying...

Cheers,

Jan




More information about the knot-dns-users mailing list