Some dnssec-signzone questions

Torinthiel torinthiel at
Wed Feb 2 07:07:42 UTC 2011

On 02/01/11 22:13, Jay Ford wrote:
> On Tue, 1 Feb 2011, Torinthiel wrote:
>> Third is about -N option:
>> a well established practice (although I don't know what was the
>> origin) is
>> to set SOA serial number to eg 2011020101, which is current day and
>> two-digit of daily version. This has benefit of being almost as good as
>> putting unixtime of last modification, while being much more
>> human-readable.
>> How difficult would it be to implement this for  dnssec-signzone -N,
>> using a
>> fourth format specifier?
> It's not hard.  See my bind-users post of Oct 15 with subject:
>    more flexible serial number handling in dnssec-signzone
> Since then I've quit using the serial number fiddling ability of
> dnssec-signzone.  The problem is that it doesn't increment the serial
> number
> in the unsigned file, so future uses of "dnssec-signzone -N" could result
> with the same or even lower values.
Yes, that's a problem. Combined with ldns-read-zone and answer to my
first question this could make dnssec-signzone read the good SOA record.
I was also thinking of simply changing it by sed in a script.

> Instead, I created a zap-serial tool to zap the serial number in place
> within
> the unsigned zone file, either to a new literal value or incrementing
> the old
> number.  My DNSSEC-related processes now zap the serial number before
> signing
> with dnssec-signzone.  You can find the C source for zap-serial & some
> possibly useful other DNSSEC-related scripts here (at least for now):
Nice set of scripts. I was thinking of writing my own with probably
similar functionality, but I'll start with those. Main difference is
that I don't store keys online, so I'd like the scripts to notify me
that signing is necessary instead of signing.

More information about the bind-users mailing list