[Pdns-users] NOTIFYing with ALIAS records

Scott Colby scolby33 at gmail.com
Tue Jul 10 06:04:59 UTC 2018 

Hello,

I am considering implementing a DNS topography like this (warning: ASCII art; I
folded to 80 columns):
                              ._.
                              |H|
 ns1.example.com              |S|
.-----------------------------|M|---------------------------------------.
| .-----------------.      .--'-'------------.      .-----------------. |
| | PDNS            |      | OpenDNSSEC      |      | PDNS            | |
| | 'hidden-master' | <==> | 'signer'        | <==> | 'master'        | |
| | 127.0.53.1      |  |   | 127.0.53.2      |  |   | ex.te.rn.a1:53  | |
| `-----------------'  |   `-----------------'  |   `-----------------' |
|                      '- NOTIFY/{AI}XFR        '- NOTIFY/{AI}XFR       |
`-----------------------------------------------------------------------'
                                                                    MM
                                                            NOTIFY/ ||
                                                            {AI}XFR || Internet
                                                                    ||
                                                                    ||
                                                   ns2.example.com  WW
                                                  .---------------------.
                                                  | .-----------------. |
                                                  | | PDNS            | |
                                                  | | 'secondary'     | |
                                                  | | ex.te.rn.a2:53  | |
                                                  | `-----------------' |
                                                  `---------------------'

I would like to use ALIAS records and realize for the DNSSEC signing to work,
they will have to be resolved by the 'hidden-master' and then forwarded up the
chain of nameservers. My question here is how to notify them when what the
ALIAS resolves to changes.

Here are the possibilities I have thought of:
- a low (for some definition of low) refresh value in the SOA
- a script running on ns1 that checks if the ALIAS has changed and forces a
  NOTIFY to be sent (is this possible via the PowerDNS API?)

The TTL on the result of the ALIAS from my hosting provider appears to usually
be 3600.

My second question revolves around RFC2136 dynamic DNS. Obviously, this needs
to propagate up to the 'hidden-master'. My thoughts on this are:
- a daemon listening on ex.te.rn.a1:53 that forwards most questions to the
  'master' but dynamic DNS packets to the 'hidden-master' (can dnsdist do
  something this dirty?
- using the lua-dnsupdate-policy-script setting on the 'master' to push the
  update directly to the 'hidden-master'

Unfortunately, I don't think OpenDNSSEC can be configured to pass dynamic DNS
updates upstream.

Does anyone have thoughts on implementing this? Am I missing any easy
alternatives?

Thank you,
Scott Colby

More information about the Pdns-users mailing list