[Yeti DNS Discuss] The current multi-master setup breaks NSD

Shane Kerr shane at biigroup.cn
Tue Feb 23 12:50:48 UTC 2016


Stephane,

On 2016-02-22 16:27:10+0100 (Monday)
Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:

> On Mon, Feb 22, 2016 at 11:20:06PM +0800,
>  Shane Kerr <shane at biigroup.cn> wrote 
>  a message of 29 lines which said:
> 
> > I think the immediate solution that Stephane has used is okay:
> > switch to AXFR-only. I think we should document that for Yeti root
> > servers and move on.
> 
> Or use only one DM. (But it decreases resiliency.)

Sure. Another possibility may be to pick a single DM for a given root
server, but if that DM is unavailable for some reason then to swap DM
and do a fresh AXFR at the beginning of the operation.

----

Note that what we are seeing here is really a general problem for
DNSSEC when trying to use parallel signers. I played around with this a
little at Afilias ages ago when we were getting ready to sign .ORG for
PIR. At that time it was tricky, because you needed to make sure that
all of the inputs into the signing were identical:

1. private key
2. timestamp(s)
3. source of randomness (if any... for example if you are adding jitter
   using BIND 9's dnssec-signzone, then randomness is used here)

Of course you also need the zone contents itself, but typically that is
not an issue in such a setup.

----

I wonder if it makes sense to consider developing IXFR that is
RRSIG-aware and will allow deletion of RRSIG without enforcing an exact
match? (My previous attempt to improve IXFR met with failure, so I am
cautious...)

Cheers,

--
Shane





More information about the discuss mailing list