Some dnssec-signzone questions

Jay Ford jay-ford at
Tue Feb 1 21:13:34 UTC 2011

On Tue, 1 Feb 2011, Torinthiel wrote:
> Third is about -N option:
> a well established practice (although I don't know what was the origin) is
> to set SOA serial number to eg 2011020101, which is current day and
> two-digit of daily version. This has benefit of being almost as good as
> putting unixtime of last modification, while being much more human-readable.
> How difficult would it be to implement this for  dnssec-signzone -N, using a
> fourth format specifier?

It's not hard.  See my bind-users post of Oct 15 with subject:
    more flexible serial number handling in dnssec-signzone

Since then I've quit using the serial number fiddling ability of
dnssec-signzone.  The problem is that it doesn't increment the serial number
in the unsigned file, so future uses of "dnssec-signzone -N" could result
with the same or even lower values.

Instead, I created a zap-serial tool to zap the serial number in place within
the unsigned zone file, either to a new literal value or incrementing the old
number.  My DNSSEC-related processes now zap the serial number before signing
with dnssec-signzone.  You can find the C source for zap-serial & some
possibly useful other DNSSEC-related scripts here (at least for now):

Jay Ford, Network Engineering Group, Information Technology Services
University of Iowa, Iowa City, IA 52242
email: jay-ford at, phone: 319-335-5555, fax: 319-335-2951

More information about the bind-users mailing list