Inline-signing feature request: Directly set the signed zone's serial number

Terry Burton tez at
Tue Oct 7 20:57:16 UTC 2014

On 7 Oct 2014 21:44, "Doug Barton" <dougb at> wrote:
> On 10/7/14 11:03 AM, Terry Burton wrote:
>> With inline signing you have a hidden serial number in the unsigned zone
>> and an exposed serial number in the signed versions which your slaves
>> track. After redeployment (following DR, emergency relocation, elastic
>> capacity expansion, etc.) I want to be able to bump the exposed serial
>> number (once) back to an appropriate value without having to modify the
>> unsigned zones.
>> (For context, the unsigned zone serial number matches the revision
>> number in a VCS to which the DNS infrastructure hosts and administrators
>> have read-only access, i.e. mandatory separation of infrastructure and
>> data access rights.)
> * Check out the unmodified version of the unsigned zone
> * Increase the serial number in the checked out copy to be past the one
in the signed zone
> * rndc reload
> * Delete the modified version of the zone file, and revert to the master
> ... all of which is not to say that your request is not reasonable, just
letting you know that a solution exists.

Sure, this is the approach that is currently taken. As stressed in my
request, this is purely for convenience... and a little bit of obsessive
data purity - load what you're given without additional processing, etc.

Thanks all the same!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the bind-users mailing list