[knot-dns-users] Manage zonefile directory in git

Jan Včelák jan.vcelak at nic.cz
Mon Jan 4 17:04:27 CET 2016


Hello.

On Monday, January 04, 2016 04:20:38 PM Tobias Brunner wrote:
> Is there a feature in Knot where I can leave out the serial and just put a
> placeholder there? So that Knot manages the serial by itself? Knot could
> then f.e. look at the timestamp of the zonefile to decide if it needs to
> update the zone serial (f.e. unix timestamp) and reload the zone.

There is not at the moment. But I agree that it would be very useful. And 
I think the first step towards a real solution would be to store the 
automatically generated records separately. But this brings complications with 
DDNS, with intentionally broken zones containing garbage, etc..

> Are there any other suggestions how to manage zonefiles in Git when using
> DNSSEC? Is it a problem when replacing the zonefile every time with an
> unsigned one and let Knot resign the whole zone, or zones, because with a
> git reset all zonefiles will be replaced by the original files? Looks like
> this would cause a lot of troubles because of the automatic serial
> increment when signing a zone. Setting zonefile-sync to -1 seems not to be
> a great idea in production...

There will always be a possibility, that Knot will resign the zone at the time 
interval, when the zone file will be updated. What I do when I manually edit 
the zone file, is to run 'knotc flush' and 'knotc status' first to check when 
the automatic signing will take place. Just to make sure that I'm in the safe 
interval.

There is no problem in resigning the zone, if your zone has reasonable size. 
The only danger is just related to the serial number handling.

I think the problem can be also solved by a bit more intelligent git hook. The 
hook can execute 'knotc flush', then extract the DNSKEY, RRSIG, and NSEC/NSEC3 
records from the flushed zone. Take the input zone from git, append these 
records to the zone file, increase the serial and reload the server. Should 
not be that hard...

> General question: How are others managing zonefiles besides in Git?

I would like to know that as well. :-)

Cheers,

Jan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.nic.cz/pipermail/knot-dns-users/attachments/20160104/3ee36118/attachment.sig>


More information about the knot-dns-users mailing list