Several people noted (even in the survey) that they would like to keep zonefiles without the DNSSEC-related generated cruft. I agree, but how to do that?
We should have three sources of data:
- Zone file (generated by periodic sync or immediately on change, only non-DNSSEC data)
- Zone journal (for storing changes from IXFR/DDNS/zonefile reload)
- DNSSEC "journal" (for storing generated DNSSEC data) - I'm quoting here because if we don't want to store signatures in zone file, first entry should be all zone signatures after resign and the following entries should be incremental changes (reload/DDNS).
How is it different?
- DNSSEC journal always contains full history for current cycle (cycle = changes since last full resign).
- By clearing the DNSSEC journal we also lose signatures history, so we should flatten regular "zone journal" as well
- This is a good thing since AXFR should be smaller than history for more than 1 cycle
- Zone flush would generate zone without signatures + extra signatures if required
- Corrupted DNSSEC journal is not a problem = we only lose history for IXFR
- NSEC/NSEC3/insecure change could be done as: drop dnssec journal, zonefile_flush, ?sign zone (new cycle)
- Keeps the ugly generated crap hidden elsewhere not in zonefile
- Playground for lmdb?
Problems:
- NSECs could be generated per-answer, but as @jkadlec noted it would be hard to generate RRSIGs
It could look roughly like this:
[zonefile]
serial=0 (contents)
[journal]
serial=1 (added X RRs, Y removed)
serial=2 (added X RRs, Y removed)
[dnssec]
serial=0 (signatures)
serial=1 (DNSSEC-related changes for journal/serial=1)
serial=2 (DNSSEC-related changes for journal/serial=2)