From: Chris Hofstaedtler Date: Sun, 14 Aug 2022 13:28:36 +0000 (+0200) Subject: Rename compare-signatures-on-zone-freshness-check X-Git-Tag: rec-4.8.0-alpha1~28^2~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d804bbeb331f34187e9a61cfe4e989404c2e97c0;p=thirdparty%2Fpdns.git Rename compare-signatures-on-zone-freshness-check --- diff --git a/docs/modes-of-operation.rst b/docs/modes-of-operation.rst index 9a8a8d7247..3ba094f9b0 100644 --- a/docs/modes-of-operation.rst +++ b/docs/modes-of-operation.rst @@ -112,7 +112,7 @@ the primary server. In some conditions, some primary servers answer with a truncated SOA response (indicating TCP is required), and the freshness check will fail. As a workaround, the signature check and DO flag can be turned off by disabling -:ref:`setting-compare-signatures-on-zone-freshness-check`. +:ref:`setting-secondary-check-signature-freshness`. When the freshness of a domain cannot be checked, e.g. because the master is offline, PowerDNS will retry the domain after diff --git a/docs/settings.rst b/docs/settings.rst index f8bd514914..b58aaa8184 100644 --- a/docs/settings.rst +++ b/docs/settings.rst @@ -273,10 +273,10 @@ Either don't ``chroot`` on these systems or set the 'Type' of the service to 'simple' instead of 'notify' (refer to the systemd documentation on how to modify unit-files). -.. _setting-compare-signatures-on-zone-freshness-check: +.. _setting-secondary-check-signature-freshness: -``compare-signatures-on-zone-freshness-check`` ----------------------------------------------- +``secondary-check-signature-freshness`` +--------------------------------------- .. versionadded:: 4.7.0 @@ -284,13 +284,15 @@ documentation on how to modify unit-files). - Default: yes Enabled by default, freshness checks for secondary zones will set the DO flag on SOA queries. PowerDNS -uses the DNSSEC signatures in the SOA response to detect (signature) changes on the primary server, when -the serial number was not increased. +can detect (signature) changes on the primary server without serial number bumps using the DNSSEC +signatures in the SOA response. -In some scenarios, primary servers send truncated SOA responses. As a workaround, this setting can be -turned off, and the DO flag as well as the signature checking will be disabled. To avoid additional +In some problematic scenarios, primary servers send truncated SOA responses. As a workaround, this setting +can be turned off, and the DO flag as well as the signature checking will be disabled. To avoid additional drift, primary servers then must always increase the zone serial on signature changes. +It is strongly recommended to keep this setting enabled (`yes`). + .. _setting-config-dir: ``config-dir`` diff --git a/pdns/auth-main.cc b/pdns/auth-main.cc index 1e407aa230..66dd653b8c 100644 --- a/pdns/auth-main.cc +++ b/pdns/auth-main.cc @@ -211,7 +211,7 @@ void declareArguments() ::arg().set("allow-notify-from", "Allow AXFR NOTIFY from these IP ranges. If empty, drop all incoming notifies.") = "0.0.0.0/0,::/0"; ::arg().set("slave-cycle-interval", "Schedule slave freshness checks once every .. seconds") = "60"; ::arg().set("xfr-cycle-interval", "Schedule primary/secondary SOA freshness checks once every .. seconds") = "60"; - ::arg().set("compare-signatures-on-zone-freshness-check", "Set DO flag on SOA queries to receive signatures for signature comparison") = "yes"; + ::arg().set("secondary-check-signature-freshness", "Check signatures in SOA freshness check. Sets DO flag on SOA queries. Outside some very problematic scenarios, say yes here.") = "yes"; ::arg().set("tcp-control-address", "If set, PowerDNS can be controlled over TCP on this address") = ""; ::arg().set("tcp-control-port", "If set, PowerDNS can be controlled over TCP on this address") = "53000"; diff --git a/pdns/slavecommunicator.cc b/pdns/slavecommunicator.cc index 1266901007..991c98e0c1 100644 --- a/pdns/slavecommunicator.cc +++ b/pdns/slavecommunicator.cc @@ -1182,7 +1182,7 @@ void CommunicatorClass::slaveRefresh(PacketHandler *P) DomainNotificationInfo dni; dni.di=di; - if (::arg().mustDo("compare-signatures-on-zone-freshness-check")) { + if (::arg().mustDo("secondary-check-signature-freshness")) { dni.dnssecOk = dk.doesDNSSEC(); } else { dni.dnssecOk = false; @@ -1331,7 +1331,7 @@ void CommunicatorClass::slaveRefresh(PacketHandler *P) } else if(hasSOA && theirserial == ourserial) { uint32_t maxExpire=0, maxInception=0; - if(dk.isPresigned(di.zone) && ::arg().mustDo("compare-signatures-on-zone-freshness-check")) { + if(dk.isPresigned(di.zone) && ::arg().mustDo("secondary-check-signature-freshness")) { B->lookup(QType(QType::RRSIG), di.zone, di.id); // can't use DK before we are done with this lookup! DNSZoneRecord zr; while(B->get(zr)) {