[knot-dns-users] Manage zonefile directory in git
jan.vcelak at nic.cz
Mon Jan 4 17:04:27 CET 2016
On Monday, January 04, 2016 04:20:38 PM Tobias Brunner wrote:
> Is there a feature in Knot where I can leave out the serial and just put a
> placeholder there? So that Knot manages the serial by itself? Knot could
> then f.e. look at the timestamp of the zonefile to decide if it needs to
> update the zone serial (f.e. unix timestamp) and reload the zone.
There is not at the moment. But I agree that it would be very useful. And
I think the first step towards a real solution would be to store the
automatically generated records separately. But this brings complications with
DDNS, with intentionally broken zones containing garbage, etc..
> Are there any other suggestions how to manage zonefiles in Git when using
> DNSSEC? Is it a problem when replacing the zonefile every time with an
> unsigned one and let Knot resign the whole zone, or zones, because with a
> git reset all zonefiles will be replaced by the original files? Looks like
> this would cause a lot of troubles because of the automatic serial
> increment when signing a zone. Setting zonefile-sync to -1 seems not to be
> a great idea in production...
There will always be a possibility, that Knot will resign the zone at the time
interval, when the zone file will be updated. What I do when I manually edit
the zone file, is to run 'knotc flush' and 'knotc status' first to check when
the automatic signing will take place. Just to make sure that I'm in the safe
There is no problem in resigning the zone, if your zone has reasonable size.
The only danger is just related to the serial number handling.
I think the problem can be also solved by a bit more intelligent git hook. The
hook can execute 'knotc flush', then extract the DNSKEY, RRSIG, and NSEC/NSEC3
records from the flushed zone. Take the input zone from git, append these
records to the zone file, increase the serial and reload the server. Should
not be that hard...
> General question: How are others managing zonefiles besides in Git?
I would like to know that as well. :-)
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: This is a digitally signed message part.
More information about the knot-dns-users