Separate manual zone contents from the automatically generated records
People using Knot DNS to serve master zones with DNSSSEC signing on sometimes want to have a separation of the actual zone contents they manually edit or generate from provisioning and the automatically generated records such as DNSSEC related records (DNSKEY, RRSIG, NSEC/NSEC3).
There are two options from the top of my head:
-
use BIND-style separation, the source zone file before signing is different from the destination source zone file after the signing. The disadvantage here is the need to either merge the two when resigning the zone or just resign everything every time (very unfriendly to slaves). Another option could be to track the changes in the source zone file (similar to ixfr-from-differences) and update the destination zone file only with the differences.
-
Keep just the automatically generated records in separate zone file. What to do about SOA in this case? DNSSEC signing usually increments (or sets it to unixtime) the SERIAL value from the SOA record, thus the SOA record has to be also kept in the extra zone file.
-
Same as 1., but use (the future) internal database as a master data source to represent the state of the zone, and update the records from the source zone only in the case of change.
-
Similar to 2., but use journal-like mechanism, but with a single state.
-
Keep this only in journal with the new journal max-size limits.