Inline-signing feature request: Directly set the signed zone's serial number
Darcy Kevin (FCA)
kevin.darcy at fcagroup.com
Fri Oct 17 17:06:12 UTC 2014
FYI,
If you had to do this all over again, and your tools are flexible enough to handle arbitrary RRTYPEs, you might consider using a "private" RRTYPE (in the 65280-65534 range). See http://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-4 and/or http://tools.ietf.org/html/rfc6895.
Repurposing HINFO for something other than expressing host-related info, is just downright confusing/surprising. Principle of Least Astonishment.
- Kevin
-----Original Message-----
From: bind-users-bounces at lists.isc.org [mailto:bind-users-bounces at lists.isc.org] On Behalf Of Chris Thompson
Sent: Friday, October 17, 2014 12:23 PM
To: Bind Users Mailing List
Cc: Tony Finch
Subject: Re: Inline-signing feature request: Directly set the signed zone's serial number
On Oct 8 2014, Tony Finch wrote:
>Terry Burton <tez at terryburton.co.uk> wrote:
>>
>> This is especially useful in bootstrapping scenarios where the zone
>> data is held under strict revision control or generated by some
>> provisioning system that "owns" the serial number.
>
>Our provisioning system used to think it owned zone serial numbers, but
>when we started signing we moved the version tag into an HINFO record.
In case anyone wonders "why HINFO?", this was because
1. No-one wants to use HINFO at a zone apex for any other reason.
2. As a very ancient type, even early Windows DNS Server implementations
didn't object to it when slaving the zones.
3. One can put arbitrary text strings in it.
... but also for the much less reputable
4. As a low numbered type, it got sorted immediately after the apex
SOA and NS records in a zone file normalised by "named-checkzone -D".
Well, it served me right when we later had to put an A record (sorts before
HINFO) at the apex of cam.ac.uk and I had to modify our normalised-zone-file- comparsion program to allow for that!
--
Chris Thompson
Email: cet1 at cam.ac.uk
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
More information about the bind-users
mailing list