|
|
Several people noted (even in the survey) that they would like to keep zonefiles without the DNSSEC-related generated cruft. I agree, but how to do that?
|
|
|
|
|
|
We should have three sources of data:
|
|
|
|
|
|
* Zone file (generated by periodic sync or immediately on change, only non-DNSSEC data)
|
|
|
* Zone journal (for storing changes from IXFR/DDNS/zonefile reload)
|
|
|
* DNSSEC "journal" (for storing generated DNSSEC data) - I'm quoting here because if we don't want to store signatures in zone file, first entry should be *all* zone signatures after resign and the following entries should be incremental changes (reload/DDNS).
|
|
|
|
|
|
How is it different?
|
|
|
|
|
|
* DNSSEC journal always contains full history for current cycle (cycle = changes since last full resign).
|
|
|
* By clearing the DNSSEC journal we also lose signatures history, so we should flatten regular "zone journal" as well
|
|
|
* This is a good thing since AXFR should be smaller than history for more than 1 cycle
|
|
|
* Zone flush would generate zone without signatures + extra signatures if required
|
|
|
* Corrupted DNSSEC journal is not a problem = we only lose history for IXFR
|
|
|
* NSEC/NSEC3/insecure change could be done as: drop dnssec journal, zonefile_flush, ?sign zone (new cycle)
|
|
|
* Keeps the ugly generated crap hidden elsewhere not in zonefile
|
|
|
* Playground for lmdb?
|
|
|
|
|
|
Problems:
|
|
|
|
|
|
* NSECs could be generated per-answer, but as @jkadlec noted it would be hard to generate RRSIGs
|
|
|
|
|
|
It could look roughly like this:
|
|
|
|
|
|
```
|
|
|
[zonefile]
|
|
|
serial=0 (contents)
|
|
|
|
|
|
[journal]
|
|
|
serial=1 (added X RRs, Y removed)
|
|
|
serial=2 (added X RRs, Y removed)
|
|
|
|
|
|
[dnssec]
|
|
|
serial=0 (signatures)
|
|
|
serial=1 (DNSSEC-related changes for journal/serial=1)
|
|
|
serial=2 (DNSSEC-related changes for journal/serial=2)
|
|
|
``` |
|
|
\ No newline at end of file |