Why choose Zonepub?

What is Zonepub?

‘Zonepub’ is the new file generation method to replace ‘Dynamic Update’. DNS Belgium put this new method in production on 10 March 2020 for the .brussels and .vlaanderen domains, followed by the .be domain on 10 June 2020. The .be domain followed two months later on 10 June 2020 -- a delay caused by the Coronavirus. 

Why choose Zonepub? 

Ten years ago, DNS Belgium was one of the first registries to use the ‘Dynamic Update’ feature in the DNS software.  This was a great step forward at the time because it enabled us to make the necessary changes to the zone file almost instantly live.  Dynamic Update has always worked well over the years and has proven that it can handle all the necessary changes to the zone file correctly and on time. Several changes were carried out continuously per minute for the .be zone, for instance.

But Dynamic Update had 1 major disadvantage: It placed the changes made via the registration platform directly in the zone file. No extra validation was done on the zone file before it was put live. This entailed a risk which became apparent after an update of the DNS software in November 2018 whereby the DNSSEC data in the zone file became incorrect because of a software bug

Because of the growing importance of a correct DNSSEC chain, pre-publication DNSSEC validation checks had to be included. Said growing importance can be gauged from the fact that: 

  • there are more and more resolvers that validate DNSSEC also 
  • there are more subdomains that sign DNSSEC 

DNS Belgium finally decided to opt for the Zonepub implementation method which is explained on this page. This method has in the meantime been implemented on the live environment. 

Description of Zonepub 

The Zonepub application is subdivided into 3 successive stages that restart when a previous run is finished: 

  • Zone file generation
  • Zone file signing
  • Zone file distribution

We carry out various automatic validation checks at the end of each stage. 

Zone file generation is a application that creates a DNS zone file from the registration platform database. The output of the zone file generation process is an unsigned zone file that contains the latest registered updates of that moment and a  higher serial number.

We carry out a number of validation checks and then start the zone file signing process. This process adds all the DNSSEC records of the previous Zonepub run to the generated zone file first.

These records are updated as and when necessary: 

  • We update the RRSIG records for new/removed/changed records from the unsigned zone. 
  • We update the RRSIG records that will not be valid any longer very soon (i.e. their validity period has almost expired). 
  • We generate the NSEC3 chain again. 

If the signing process has gone without a hitch and all the validation checks that follow do not give any error messages, the zone file distribution process will start. This distribution process ensures that the signed zone is further distributed to our public nameservers after the final validation round.  This is carried out by an incremental zone transfer (IXFR), which contains only the updates of the changed data by comparison with the zone file of the previous Zonepub run. 

Zonepub: advantages versus disadvantages 

The main reason why DNS Belgium switched from the Dynamic Update to the Zonepub process for updating the zone file is so as to be able to introduce additional validation checks. These checks reduce the chance that an incorrect or incomplete zone file will ever go live. We can also verify the DNSSEC data in the zone file before it goes live. 

The validation checks that are currently implemented are spread over 3 Zonepub stages (these are discussed above):

  • Validation as to whether the number of changed records falls within predefined thresholds 
  • Validation on changes of zone file size changes by comparison with the previous zone file; these must fall within minimum and maximum thresholds 
  • Validation on correctness of NS and glue records in header 
  • Validation as to whether the serial number has been raised correctly and is still RFC compliant 
  • Validation on the EOF marker and the last record in the zone file 
  • Validation on a number of required records in the zone file 
  • Check whether all records at the beginning of a Zonepub run (zone file generation) are still correctly present at the end of the same Zonepub run (zone file distribution) 
  • Validation on correctness of the TTL value on each record 
  • Comprehensive DNSSEC validation checks 

If a check fails then the Zonepub process stops. An alarm is immediately sent out to the operational team of DNS Belgium. The zonefile will not be updated until the problem has been solved manually. We prefer a slightly outdated zone to a faulty one.

Running all these checks takes quite some time. Consequently, updates to the zone go live a little later by comparison with the previous Dynamic Update process where the updates went live almost instantly. 

For the .be-zone, with currently more than 1.6 million records, the entire process of 1 Zonepub run takes about 15 minutes. A number of validation checks run in parallel to speed up the process. Updates to the zone file that arrive just after a new Zonepub is started are included in the next run and thus go live after about 30 minutes.