Inline-signing feature request: Directly set the signed zone's serial number

Terry Burton tez at terryburton.co.uk
Tue Oct 7 18:03:51 UTC 2014


On 7 Oct 2014 18:42, "Alan Clegg" <alan at clegg.com> wrote:
>
> On 10/7/2014 9:49 AM, Terry Burton wrote:
> > This is especially useful in bootstrapping scenarios where the zone
> > data is held under strict revision control or generated by some
> > provisioning system that "owns" the serial number.
>
> By setting the number backwards, you are breaking all of your slave
servers and causing no-end of problems getting all of THEM corrected.

You've misunderstood. I'm not attempting to decrease the serial number.

With inline signing you have a hidden serial number in the unsigned zone
and an exposed serial number in the signed versions which your slaves
track. After redeployment (following DR, emergency relocation, elastic
capacity expansion, etc.) I want to be able to bump the exposed serial
number (once) back to an appropriate value without having to modify the
unsigned zones.

(For context, the unsigned zone serial number matches the revision number
in a VCS to which the DNS infrastructure hosts and administrators have
read-only access, i.e. mandatory separation of infrastructure and data
access rights.)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20141007/e82a206e/attachment.html>


More information about the bind-users mailing list