Inline-signing feature request: Directly set the signed zone's serial number

Doug Barton dougb at
Tue Oct 7 19:33:38 UTC 2014

On 10/7/14 11:03 AM, Terry Burton wrote:

> With inline signing you have a hidden serial number in the unsigned zone
> and an exposed serial number in the signed versions which your slaves
> track. After redeployment (following DR, emergency relocation, elastic
> capacity expansion, etc.) I want to be able to bump the exposed serial
> number (once) back to an appropriate value without having to modify the
> unsigned zones.
> (For context, the unsigned zone serial number matches the revision
> number in a VCS to which the DNS infrastructure hosts and administrators
> have read-only access, i.e. mandatory separation of infrastructure and
> data access rights.)

* Check out the unmodified version of the unsigned zone
* Increase the serial number in the checked out copy to be past the one 
in the signed zone
* rndc reload
* Delete the modified version of the zone file, and revert to the master 

... all of which is not to say that your request is not reasonable, just 
letting you know that a solution exists.

hope this helps,


More information about the bind-users mailing list