Complete offline signing and AXFR for GeoIP
Currently, mod-geoip does support policy: presigned_zone
, but the module still needs to sign the non-default RRsets on loading, so the ZSK key needs to be present on the server. It isn't obvious how to store other, non-default RRsets in a pre-signed zone file. Also, these non-default RRsets cannot be shared over AXFR, so secondaries cannot easily imitate the mod-geoip behavior of the primary.
I have thought about a solution that solves both problems: CASE records that wrap other RRs with a prepended case id string. Such CASE records can be stored in zone files and transmitted over AXFR, but are always unpacked for normal queries. An example from the mod-geoip documentation could be expressed like this with CASE records:
foo.example.com. CASE "CZ;Prague" CNAME cz.foo.example.com.
foo.example.com. CASE "US;Las Vegas" CNAME vegas.foo.example.net.
foo.example.com. CASE "US;*" CNAME us.foo.example.net.
foo.example.com. CNAME foo.example.net. ; default case
DNSSEC signing would handle CASE records specially and produce an RRSIG per case id that is also wrapped into a CASE record like this:
foo.example.com. CASE "CZ;Prague" RRSIG CNAME 5 3 86400 20030322173103 ( … )
foo.example.com. CASE "US;Las Vegas" RRSIG CNAME 5 3 86400 20030322173103 ( … )
foo.example.com. CASE "US;*" RRSIG CNAME 5 3 86400 20030322173103 ( … )
foo.example.com. RRSIG CNAME 5 3 86400 20030322173103 ( … ) ; default case
This would be similar to a proposal I made for PowerDNS (https://github.com/PowerDNS/pdns/issues/12597), where I also write about this idea in more detail. PowerDNS may accept an implementation of it. What do you think about this idea? Would you accept an implementation of this for Knot DNS?