Hi,
On Tue, Feb 19, 2013 at 07:28:35PM -0500, James Cloos wrote:
> I've spent some time looking into a set of functions (I use pgsql) for
> making changes, which can do all of the necessary logic when adding,
> removing or changing an RR, but I haven't yet compiled a full list of
> what exactly is required for every case when dnssec is in use. Has
> anyone else?
For the rfc2136 implementation, the code "rectifies" the zone. What i found was:
- Special case when inserting/removing NS records as you're creating/removing a
delegate.
The auth flag below the inserted/removed NS record needs to change.
- For inserting, we might need to insert empty-non-terminal (the type=NULL)
records
If your zone has a.test.com and you insert d.c.b.a.test.com, you'll have to
create some other records.
- For removing, we must check if we need to remove empty-non-termninal records
The reverse of the previous point, but keep in mind that you might have
d.b.a.test.com in there somewhere as well.
- We basically use the same logic as rectify-zone to find what the auth flag
should be, but do it for a single record that is inserted
- Afterwords, we need to flush the cache as pdns will cache NSEC(3) records as
well. This is something i think you cannot do from a sql-function.
Regards,
Ruben
_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users
