[Pdns-users] How do you rectify zones?

Ruben d'Arco cyclops at prof-x.net
Wed Feb 20 07:55:38 UTC 2013


On Tue, Feb 19, 2013 at 07:28:35PM -0500, James Cloos wrote:
> I've spent some time looking into a set of functions (I use pgsql) for
> making changes, which can do all of the necessary logic when adding,
> removing or changing an RR, but I haven't yet compiled a full list of
> what exactly is required for every case when dnssec is in use.  Has
> anyone else?

For the rfc2136 implementation, the code "rectifies" the zone. What i found was:
- Special case when inserting/removing NS records as you're creating/removing a delegate.
  The auth flag below the inserted/removed NS record needs to change.
- For inserting, we might need to insert empty-non-terminal (the type=NULL) records
  If your zone has a.test.com and you insert d.c.b.a.test.com, you'll have to create some other records.
- For removing, we must check if we need to remove empty-non-termninal records
  The reverse of the previous point, but keep in mind that you might have d.b.a.test.com in there somewhere as well.
- We basically use the same logic as rectify-zone to find what the auth flag should be, but do it for a single record that is inserted
- Afterwords, we need to flush the cache as pdns will cache NSEC(3) records as well. This is something i think you cannot do from a sql-function.


More information about the Pdns-users mailing list