> Am I reading this bug correctly, that MAAS currently asks BIND to reload its entire configure
> file on every machine provision and removal?
>
> This seems like a problem worth solving rather than trying to work around.
>
> At least PowerDNS provides several mechanisms for dynamically adding and removing records from
> a zone:
>
> - dnsupdate: https://doc.powerdns.com/authoritative/dnsupdate.html
[...]
> Since dnsupdate is an RFC-standardized protocol there's a pretty good shot BIND supports it as
> well. Was this tried and found lacking? The API and SQL approaches are likely to not have
> equivalents in BIND.
>
> I'm not sure what your DNSSEC goals are, but PowerDNS's documentation describes choices,
> including pkcs#11 in case that's important:
> https://doc.powerdns.com/authoritative/dnssec/index.html
Yes bind has even a tool for RFC 2136 packaged [1]. A little howto mentioning DNSSEC in that regard can be found at [2]. It also mentions an apparmor Deny with the setup, but if that would be the blocker I'm sure we can come up with a safe rule that can be added.
This might really be much closer to the design of the DNS server then high-frequency restart/reload. So giving this a thought/experiment on the MAAS side might be great.
In Reply to Seth's suggestion:
> Am I reading this bug correctly, that MAAS currently asks BIND to reload its entire configure /doc.powerdns. com/authoritati ve/dnsupdate. html
> file on every machine provision and removal?
>
> This seems like a problem worth solving rather than trying to work around.
>
> At least PowerDNS provides several mechanisms for dynamically adding and removing records from
> a zone:
>
> - dnsupdate: https:/
[...]
> Since dnsupdate is an RFC-standardized protocol there's a pretty good shot BIND supports it as /doc.powerdns. com/authoritati ve/dnssec/ index.html
> well. Was this tried and found lacking? The API and SQL approaches are likely to not have
> equivalents in BIND.
>
> I'm not sure what your DNSSEC goals are, but PowerDNS's documentation describes choices,
> including pkcs#11 in case that's important:
> https:/
Yes bind has even a tool for RFC 2136 packaged [1]. A little howto mentioning DNSSEC in that regard can be found at [2]. It also mentions an apparmor Deny with the setup, but if that would be the blocker I'm sure we can come up with a safe rule that can be added.
This might really be much closer to the design of the DNS server then high-frequency restart/reload. So giving this a thought/experiment on the MAAS side might be great.
[1]: http:// manpages. ubuntu. com/manpages/ bionic/ man1/nsupdate. 1.html /dnns.no/ dynamic- dns-with- bind-and- nsupdate. html
[2]: https:/