Turning this off will disable the DO flag for SOA queries during zone freshness checks of secondary zones
to workaround truncated SOA responses. It will also disable signature comparison which are used to detect
signature changes even when the serial was not increased. Hence, disable this setting only if the Primary
name server always increases the serial on signature changes.
Default: yes (= old behavior)
the domain is declared 'fresh', and will only be checked again after
'**refresh**' seconds have passed.
+If the serial on the Primary is equal to the serial on the Secondary,
+but the zone is presigned, the Secondary will also compare the RRSIG
+of the SOA and queue a zone transfer if the signatures are different.
+This is useful if the Primary is also PowerDNS as the serial may not be
+increased although signatures are updated. To compare also the RRSIGs,
+PowerDNS sets the DO flag when querying the SOA on the Primary. Setting
+the DO flag may trigger truncated responses and the SOA check should
+fall-back to TCP. As this fall-back is currently not supported in
+PowerDNS, freshnes checks may fail. If it is known that the Primary
+always increases the serial on signature changes, signature comparison
+can be turned off by disabling
+:ref:`setting-compare-signatures-on-zone-freshness-check`. This will disable
+the DO flag and should work around the truncate issue.
+
When the freshness of a domain cannot be checked, e.g. because the
master is offline, PowerDNS will retry the domain after
:ref:`setting-xfr-cycle-interval` seconds.
service to 'simple' instead of 'notify' (refer to the systemd
documentation on how to modify unit-files).
+.. _setting-compare-signatures-on-zone-freshness-check:
+
+``compare-signatures-on-zone-freshness-check``
+----------------------------------------------
+
+.. versionadded:: 4.7.0
+
+- Boolean
+- Default: yes
+
+Turning this off will disable the DO flag for SOA queries during zone freshness checks of secondary zones
+to workaround truncated SOA responses. It will also disable signature comparison which are used to detect
+signature changes even when the serial was not increased. Hence, disable this setting only if the Primary
+name server always increases the serial on signature changes.
+
.. _setting-config-dir:
``config-dir``
::arg().set("allow-notify-from", "Allow AXFR NOTIFY from these IP ranges. If empty, drop all incoming notifies.") = "0.0.0.0/0,::/0";
::arg().set("slave-cycle-interval", "Schedule slave freshness checks once every .. seconds") = "60";
::arg().set("xfr-cycle-interval", "Schedule primary/secondary SOA freshness checks once every .. seconds") = "60";
+ ::arg().set("compare-signatures-on-zone-freshness-check", "Set DO flag on SOA queries to receive signatures for signature comparison") = "yes";
::arg().set("tcp-control-address", "If set, PowerDNS can be controlled over TCP on this address") = "";
::arg().set("tcp-control-port", "If set, PowerDNS can be controlled over TCP on this address") = "53000";
DomainNotificationInfo dni;
dni.di=di;
- dni.dnssecOk = dk.doesDNSSEC();
+ if (::arg().mustDo("compare-signatures-on-zone-freshness-check")) {
+ dni.dnssecOk = dk.doesDNSSEC();
+ } else {
+ dni.dnssecOk = false;
+ }
if(dk.getTSIGForAccess(di.zone, sr.master, &dni.tsigkeyname)) {
string secret64;
}
else if(hasSOA && theirserial == ourserial) {
uint32_t maxExpire=0, maxInception=0;
- if(dk.isPresigned(di.zone)) {
+ if(dk.isPresigned(di.zone) && ::arg().mustDo("compare-signatures-on-zone-freshness-check")) {
B->lookup(QType(QType::RRSIG), di.zone, di.id); // can't use DK before we are done with this lookup!
DNSZoneRecord zr;
while(B->get(zr)) {
projects / thirdparty / pdns.git / commitdiff
