Zone transfer to secondary NS for availability reasons

appliedprivacy · January 22, 2023, 11:56am

Todays availability issues at deSEC NS motivated us to think about solutions for scenarios when desec suffers an outage.
The easy option would be to use a separate secondary DNS provider. That provider would just copy the signed DNS records from deSEC via standard zone transfer mechanisms - which is widely supported.

We would use 1984.is as secondary. In their webinterface you can enter the domain name and master IP address.
Do you support DNS zone transfer?

nils · January 22, 2023, 3:54pm

We currently do not support this kind of zone transfer. The reason is that we like to keep zone data as private as possible and do not want to expose entire zones to the public. There are ways of authenticating DNS zone transfer requests, but they come with additional complexity for key management, which means additional effort for an implementation. I do agree that DNS zone transfer would be a good feature for deSEC, but given the resources we have I currently cannot commit to an timely implementation.

Our API support exporting the zone in zonefile format. It currently does not include DNSSEC-related records, so it is not yet suitable for your purposes. However, as it already has authentication in place, it may be less effort to adapt this export than to implement the full-featured zone transfer. Of course, it may be (by itself) not compatible with other DNS hosting providers.

appliedprivacy · January 22, 2023, 10:38pm

It currently does not include DNSSEC-related records, so it is not yet suitable for your purposes. However, as it already has authentication in place, it may be less effort to adapt this export than to implement the full-featured zone transfer.

I opened an issue for it:

github.com/desec-io/desec-stack

include DNSSEC records in zone export API

opened 10:30PM - 22 Jan 23 UTC

appliedprivacy

enhancement help wanted

Currently the API to export a DNS zone does not include DNSSEC records: https:/…/desec.readthedocs.io/en/latest/dns/domains.html#exporting-a-domain-as-zonefile it would be great to include all zone records, including DNSSEC related records as a stop-gap solution until AXFR #579 is implemented. This could be an optional opt-in parameter. related to: https://talk.desec.io/t/zone-transfer-to-secondary-ns-for-availability-reasons/568

and I found the AXFR issue:

we like to keep zone data as private as possible and do not want to expose entire zones to the public

I added a note for encrypted zone transfer support to the issue

markus · January 23, 2023, 7:23am

Is it technically possible to store two DS records in the parent zone (at the registrar/registry)? If so, you could also use DNSControl to store your DNS data with several DNS providers at the same time.

peter · January 23, 2023, 4:58pm

Yes, that’s possible. It’s call a “multi-signer setup”, see RFC 8901.