On Wed, 7 May 2025 19:35:42 +0200 Ondřej Surý <[email protected]> wrote:
> Hi Stefan, Hello Ondřej, Sorry for the late reply. I was a bit busy with other things. > > On 7. 5. 2025, at 10:45, Stefan Ubbink > > <[email protected]> wrote: > > [...] > > >> The draft is definitely underspecified in this area. Especially, > >> the IXFR and NSUPDATE cases feel very hairy to me as this is > >> practically makes SOA+(_version TXT) to be practically bound > >> together during the updates. > > > > Would getting the _version TXT from the zone data only when a query > > with the ZONEVERSION option enabled make sense? > > No, not really. It would be easier just to always check this. Thank you for this insight. > >> Is this a practical problem that it adds yet another requirement > >> for the authoritative nameserver implementations? > > > > I would like to have a uniform way to know what the source of the > > DNS data is in a way that it is visible to the public. > > That's probably the one thing I don't really understand - why? What's > the use case of having this information available via DNS? I can > clearly see that for the plain ZONEVERSION because that works with the > loose nature of the DNS. > > Because as far as I understand this, you can achieve the same thing > by: > > 1. publishing the list of SERIAL - DBVERSION outside of the DNS, it > could be even available using the REST API That would mean that people have to look somewhere else to get that info and I would like to keep the information in DNS. And this would also make it an uniform way to publish this information. > 2. using the SERIAL number to publish this information, as the SERIAL > numbers are integers and what we put into them is just convenience, > you can for example round the seconds to the nearest hundreds and > then use the last two digits to for just resigning. > > But again that boils down to - who would be a consumer of this > information? And what do you envision such consumer would get by > getting this information? From my point of view as a TLD operator, anyone who wants to have a change published by the parent could use this to see if the source of the published zone has changed, since a SERIAL number change does not mean that the source (DBVERSION) has changed. This could also help registrars if they get questions why a change of a customer did not yet get published. > And one more question - do you envision that the SOA SERIAL and your > "_version" could somehow get out of sync? E.g. is something like this > possible? > > Server 1: > - SERIAL 10 > - DBVERSION 2 > > Server 2: > - SERIAL 11 > - DBVERSION 1 At the moment I do not see this happening in a normal flow, even when there are multiple signers which can publish a zone based on the same database source. -- Stefan Ubbink DNS & Systems Engineer Present: Mon, Tue, Wed, Fri SIDN | Meander 501 | 6825 MD | ARNHEM | The Netherlands T +31 (0)26 352 55 00 https://www.sidn.nl
pgpsB_T2luNEp.pgp
Description: OpenPGP digital signature
_______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
