Inline-signing feature request: Directly set the signed zone's serial number
Doug Barton
dougb at dougbarton.us
Tue Oct 7 19:33:38 UTC 2014
On 10/7/14 11:03 AM, Terry Burton wrote:
> With inline signing you have a hidden serial number in the unsigned zone
> and an exposed serial number in the signed versions which your slaves
> track. After redeployment (following DR, emergency relocation, elastic
> capacity expansion, etc.) I want to be able to bump the exposed serial
> number (once) back to an appropriate value without having to modify the
> unsigned zones.
>
> (For context, the unsigned zone serial number matches the revision
> number in a VCS to which the DNS infrastructure hosts and administrators
> have read-only access, i.e. mandatory separation of infrastructure and
> data access rights.)
* Check out the unmodified version of the unsigned zone
* Increase the serial number in the checked out copy to be past the one
in the signed zone
* rndc reload
* Delete the modified version of the zone file, and revert to the master
copy
... all of which is not to say that your request is not reasonable, just
letting you know that a solution exists.
hope this helps,
Doug
More information about the bind-users
mailing list