Serial numbers for inline signing
Antonio Querubin
tony at lavanauts.org
Thu Dec 19 06:06:22 UTC 2013
On Wed, 18 Dec 2013, Alan Clegg wrote:
> On Dec 18, 2013, at 11:05 AM, Antonio Querubin <tony at lavanauts.org> wrote:
>
>> Is there a way to keep the serial numbers synced between the primary
>> and slaves for auto-maintained zones? Every once in a while the
>> primary and slaves somehow get out of sync and the logs start
>> generating error messages about the mis-match. The mis-match also gets
>> noticed by various DNS sanity checkers.
>
> This is an automatic feature of DNS. I’d concern myself more with “what
> is happening to make my serial numbers differ between my servers”.
>
> Did it work before DNSSEC inline signing?
Yep. The slaves sync up with the master after a zone refresh and stay
that way.
> If you “dig +nssearch zonename” what are your results?
Currently the serial numbers are all in sync. What I don't understand is
what condition cause them to get out of sync (ie. the slave's serial
number exceeds the master's serial number).
Antonio Querubin
e-mail: tony at lavanauts.org
xmpp: antonioquerubin at gmail.com
More information about the bind-users
mailing list