a truncated SOA response (indicating TCP is required), and the freshness
check will fail. As a workaround, the signature check and DO flag can be
turned off by disabling
-:ref:`setting-compare-signatures-on-zone-freshness-check`.
+:ref:`setting-secondary-check-signature-freshness`.
When the freshness of a domain cannot be checked, e.g. because the
master is offline, PowerDNS will retry the domain after
service to 'simple' instead of 'notify' (refer to the systemd
documentation on how to modify unit-files).
-.. _setting-compare-signatures-on-zone-freshness-check:
+.. _setting-secondary-check-signature-freshness:
-``compare-signatures-on-zone-freshness-check``
-----------------------------------------------
+``secondary-check-signature-freshness``
+---------------------------------------
.. versionadded:: 4.7.0
- Default: yes
Enabled by default, freshness checks for secondary zones will set the DO flag on SOA queries. PowerDNS
-uses the DNSSEC signatures in the SOA response to detect (signature) changes on the primary server, when
-the serial number was not increased.
+can detect (signature) changes on the primary server without serial number bumps using the DNSSEC
+signatures in the SOA response.
-In some scenarios, primary servers send truncated SOA responses. As a workaround, this setting can be
-turned off, and the DO flag as well as the signature checking will be disabled. To avoid additional
+In some problematic scenarios, primary servers send truncated SOA responses. As a workaround, this setting
+can be turned off, and the DO flag as well as the signature checking will be disabled. To avoid additional
drift, primary servers then must always increase the zone serial on signature changes.
+It is strongly recommended to keep this setting enabled (`yes`).
+
.. _setting-config-dir:
``config-dir``
::arg().set("allow-notify-from", "Allow AXFR NOTIFY from these IP ranges. If empty, drop all incoming notifies.") = "0.0.0.0/0,::/0";
::arg().set("slave-cycle-interval", "Schedule slave freshness checks once every .. seconds") = "60";
::arg().set("xfr-cycle-interval", "Schedule primary/secondary SOA freshness checks once every .. seconds") = "60";
- ::arg().set("compare-signatures-on-zone-freshness-check", "Set DO flag on SOA queries to receive signatures for signature comparison") = "yes";
+ ::arg().set("secondary-check-signature-freshness", "Check signatures in SOA freshness check. Sets DO flag on SOA queries. Outside some very problematic scenarios, say yes here.") = "yes";
::arg().set("tcp-control-address", "If set, PowerDNS can be controlled over TCP on this address") = "";
::arg().set("tcp-control-port", "If set, PowerDNS can be controlled over TCP on this address") = "53000";
DomainNotificationInfo dni;
dni.di=di;
- if (::arg().mustDo("compare-signatures-on-zone-freshness-check")) {
+ if (::arg().mustDo("secondary-check-signature-freshness")) {
dni.dnssecOk = dk.doesDNSSEC();
} else {
dni.dnssecOk = false;
}
else if(hasSOA && theirserial == ourserial) {
uint32_t maxExpire=0, maxInception=0;
- if(dk.isPresigned(di.zone) && ::arg().mustDo("compare-signatures-on-zone-freshness-check")) {
+ if(dk.isPresigned(di.zone) && ::arg().mustDo("secondary-check-signature-freshness")) {
B->lookup(QType(QType::RRSIG), di.zone, di.id); // can't use DK before we are done with this lookup!
DNSZoneRecord zr;
while(B->get(zr)) {