nsd icon indicating copy to clipboard operation
nsd copied to clipboard

Published 20 hours ago verified publisher icon NLnetLabs

Feature request: EDNS EXPIRE (RFC 7314)

Open anandb-ripencc opened this issue 1 year ago • 9 comments

Hi. Long chains of XFR servers can lead to a situation where a zone's expiry is extended well beyond what's in the SOA record. We have recently had this situation with some of our zones, where the secondary kept serving a zone with expired RRSIGs.

Would you consider implementing RFC 7314 in ~~Knot DNS~~ NSD, both when providing XFR as well as requesting XFR, and honouring the expiry from the EDNS EXPIRE option instead of the SOA record?

anandb-ripencc avatar Mar 30 '23 01:03 anandb-ripencc

I copy+pasted from the same request to the Knot DNS folk... oops, haha.

s/Knot DNS/NSD/ :)

anandb-ripencc avatar Mar 30 '23 05:03 anandb-ripencc

It turns out that Knot DNS has implemented this since version 3.2. It has been in BIND for even longer. I would love to see this in NSD, so that we can make use of it uniformly. Other than in XFR, it also helps when you issue a SOA query, because you can quickly know how far a zone is from expiry, and could use it as a monitoring aid.

anandb-ripencc avatar Apr 10 '23 08:04 anandb-ripencc

Hi @anandb-ripencc! I'll start looking into this.

k0ekk0ek avatar Jun 01 '23 15:06 k0ekk0ek

Hi @k0ekk0ek. Any update on this issue?

anandb-ripencc avatar Nov 22 '23 14:11 anandb-ripencc

Hi @anandb-ripencc. I'm sorry, not yet. It got sidetracked. I'll see if I can start work on this again soon (#278, or simdzone, is keeping me busy, but a first release is close).

k0ekk0ek avatar Nov 22 '23 17:11 k0ekk0ek

@anandb-ripencc, #278 turned out to take (way) more time. I'm sorry it took so long. I'll get started on this feature later this week.

k0ekk0ek avatar Apr 16 '24 09:04 k0ekk0ek

I've been working out how to fit this into NSD. The problem is that the processes serving the data do not keep track of zone administration as that is done by xfrd. The initial idea was to use a shared memory segment containing an expire timer per zone. As multiple versions might be served (current version, plus version after reload), that is not as straightforward as I hoped it'd be. Anyway, just a quick update to indicate this is top of my list.

k0ekk0ek avatar May 01 '24 17:05 k0ekk0ek

Thanks for this update Jeroen. Perhaps you can try to solve this issue in 2 parts. It would already be useful if XFRD were to ask for, and honour the EXPIRE option in XFR queries. This would solve the problem where we have multiple chains of XFR servers, and the zone expiry time is extended beyond the operator's intention. This is my main motivation for wanting EXPIRE support in NSD, because we have actually faced this issue.

Later, you can try to figure out a way of passing on the expiry timer information to the child processes.

anandb-ripencc avatar May 02 '24 09:05 anandb-ripencc

That's most certainly less complicated, I'll see if I can split it up.

k0ekk0ek avatar May 02 '24 09:05 k0ekk0ek