Serial numbers for inline signing

Antonio Querubin tony at lavanauts.org
Wed Dec 18 16:05:56 UTC 2013


Is there a way to keep the serial numbers synced between the primary and 
slaves for auto-maintained zones?  Every once in a while the primary and 
slaves somehow get out of sync and the logs start generating error 
messages about the mis-match.  The mis-match also gets noticed by various 
DNS sanity checkers.

Antonio Querubin
e-mail:  tony at lavanauts.org
xmpp:  antonioquerubin at gmail.com
-------------- next part --------------

On Dec 18, 2013, at 10:17 AM, Thomas Schulz <schulz at adi.com> wrote:

> I have a question about the serial number as modified by inline signing.
> I have a static zone, adi.com, that I am setting up for dnssec. I added
>        inline-signing yes;
>        key-directory "dnssec";
>        auto-dnssec maintain;
> to my named.conf file after generating the keys and then did a rndc restart.
> After that I did a
> rndc signing -nsec3param 1 0 10 aef7db3a adi.com
> to switch to nsec3. Checking the resulting serial number, I find that it is
> 2013120423. The serial number in the static zone file is 2013120400.
> Why did it bump it up to 23? I expected something like 02.

I can?t tell you why you got an exact number, but the best rule about this is ?don?t worry about the signed serial number?, as BIND will take care of it for you.  As long as you continue to increment the static zone serial number as you always have, the serial in the signed zone will be maintained correctly.

There are a number of things that are happening all the time with the signed zone that you are not aware of, for example, re-signing as signatures reach expiration, re-signing when you change from NSEC to NSEC3, etc.

All of these will keep the signed serial number ?bumping up? even when your zone isn?t changing.

AlanC
-- 
Alan Clegg | +1-919-355-8851 | alan at clegg.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20131218/f2e55297/attachment.bin>
-------------- next part --------------
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


More information about the bind-users mailing list